cleantalk
Vulnerabilities and Security Researches

WP Gravity Forms Insightly, 56cb8480-1791-4990-8fc7-2cb98a10c207

CVE, Research URL

56cb8480-1791-4990-8fc7-2cb98a10c207

Home page URL

Security reports for WP Gravity Forms Insightly

Application

WP Gravity Forms Insightly

Published on
-
Research Description
WP Gravity Forms Insightly [gf-insightly] < 1.0.7 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor&#039;s plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
Affected versions
Min -, max 1.0.7.
Status
vulnerable
Previous vulnerability researches
WP Gravity Forms Insightly (56cb8480-1791-4990-8fc7-2cb98a10c207) , Jun 06, 2024
New vulnerability
Simple WP Events (CVE-2025-32193) , Apr 06, 2025
Post to Social Media &#8211; WordPress to Hootsuite (CVE-2025-32267) , Apr 06, 2025
Easy WP Optimizer &#8211; Optimize DB &amp; WordPress (CVE-2025-32147) , Apr 06, 2025
Embed Chessboard (CVE-2025-32177) , Apr 06, 2025
teachPress (CVE-2025-32149) , Apr 06, 2025