Vulnerabilities and security researches forgf-infusionsoft gf-infusionsoft

Direction: ascending

Jun 07, 2024

WP Gravity Forms Keap/Infusionsoft # 56cb8480-1791-4990-8fc7-2cb98a10c207

CVE, Research URL: 56cb8480-1791-4990-8fc7-2cb98a10c207
Home page URL: Security reports for WP Gravity Forms Keap/Infusionsoft
Application: WP Gravity Forms Keap/Infusionsoft
Date: -
Research Description: WP Gravity Forms Keap/Infusionsoft [gf-infusionsoft] < 1.1.5 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
Affected versions: max 1.1.5.
Status: vulnerable

Oct 11, 2025

WP Gravity Forms Keap/Infusionsoft # CVE-2025-58006

CVE, Research URL: CVE-2025-58006
Home page URL: Security reports for WP Gravity Forms Keap/Infusionsoft
Application: WP Gravity Forms Keap/Infusionsoft
Date: Sep 23, 2025
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft allows Phishing. This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through 1.2.4.
Affected versions: max 1.2.4.
Status: vulnerable

Nov 10, 2025

WP Gravity Forms Keap/Infusionsoft # CVE-2025-58636

CVE, Research URL: CVE-2025-58636
Home page URL: Security reports for WP Gravity Forms Keap/Infusionsoft
Application: WP Gravity Forms Keap/Infusionsoft
Date: Nov 06, 2025
Research Description: Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through <= 1.2.3.
Affected versions: max 1.2.4.
Status: vulnerable