- Published on
-
-
- Research Description
-
WP Gravity Forms Insightly [gf-insightly] < 1.0.7
Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting
Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator.
It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped.
Timeline:
August 2nd, 2021 - Details sent to vendor
August 16th, 2021 - Escalated to WP due to unresponsive vendor
August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it.
August 26th, 2021 - Public disclosure
August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue
August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue
August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue
September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
- Affected versions
-
Min -, max 1.0.7.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| Previous vulnerability researches |
|
Infusionsoft Web Form JavaScript
(CVE-2025-31629)
, Apr 02, 2025
|
|
WP Keap/Infusionsoft WooCommerce Plugin
(56cb8480-1791-4990-8fc7-2cb98a10c207)
, Jun 06, 2024
|
|
Infusionsoft Analytics for WordPress
(CVE-2025-25145)
, Feb 05, 2025
|
|
Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
(56cb8480-1791-4990-8fc7-2cb98a10c207)
, Jun 07, 2024
|
|
WP Gravity Forms Keap/Infusionsoft
(56cb8480-1791-4990-8fc7-2cb98a10c207)
, Jun 07, 2024
|
| New vulnerability |
|
WR Price List Manager For Woocommerce
(CVE-2025-31794)
, Apr 05, 2025
|
|
SrbTransLatin – Serbian Latinisation
(CVE-2025-31421)
, Apr 05, 2025
|
|
Advanced Typekit
(CVE-2025-31622)
, Apr 05, 2025
|
|
TailPress – Tailwind for WordPress
(CVE-2025-31558)
, Apr 05, 2025
|
|
Team Rosters
(CVE-2025-31905)
, Apr 05, 2025
|