Vulnerabilities and security researches forcf7-zoho cf7-zoho

Direction: ascending

Jun 06, 2024

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # 56cb8480-1791-4990-8fc7-2cb98a10c207

CVE, Research URL: 56cb8480-1791-4990-8fc7-2cb98a10c207
Home page URL: Security reports for WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Application: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Date: -
Research Description: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin [cf7-zoho] < 1.1.8 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
Affected versions: max 1.1.8.
Status: vulnerable

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2023-25976

CVE, Research URL: CVE-2023-25976
Home page URL: Security reports for WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Application: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Date: May 26, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions.
Affected versions: max 1.2.3.
Status: vulnerable

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2023-2527

CVE, Research URL: CVE-2023-2527
Home page URL: Security reports for WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Application: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Date: Jun 19, 2023
Research Description: The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Affected versions: max 1.2.4.
Status: vulnerable

Jun 13, 2026

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2025-49330

CVE, Research URL: CVE-2025-49330
Home page URL: Security reports for WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Application: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Date: Jun 17, 2025
Research Description: Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0.
Affected versions: max 1.3.1.
Status: vulnerable

Vulnerabilities and security researches forcf7-zoho cf7-zoho

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms &#8211; CRM, Bigin # 56cb8480-1791-4990-8fc7-2cb98a10c207

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms &#8211; CRM, Bigin # CVE-2023-25976

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms &#8211; CRM, Bigin # CVE-2023-2527

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms &#8211; CRM, Bigin # CVE-2025-49330

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # 56cb8480-1791-4990-8fc7-2cb98a10c207

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2023-25976

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2023-2527

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin # CVE-2025-49330