Vulnerabilities and security researches forintegration-for-contact-form-7-and-pipedrive integration-for-contact-form-7-and-pipedrive
Direction: ascendingJun 07, 2024
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms # 56cb8480-1791-4990-8fc7-2cb98a10c207
- CVE, Research URL
- Home page URL
-
Security reports for Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
- Date
- -
- Research Description
- Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms [integration-for-contact-form-7-and-pipedrive] < 1.1.1 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2024-34817
- CVE, Research URL
- Home page URL
-
Security reports for Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
- Date
- May 14, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.0.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jul 21, 2025
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2025-7696
- CVE, Research URL
- Home page URL
-
Security reports for Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
- Date
- Jul 19, 2025
- Research Description
- The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable