Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Security & Risk Analysis

Send Contact Form 7, WPForms, Elementor, Ninja Forms, WPforms, Elementor, Ninja Forms, Contact Form Entries Plugin and many other contact form submiss …

5K active installs v1.4.4 PHP 5.3+ WP 3.8+ Updated Jan 20, 2026

contact-form-7contact-form-7-hubspotelementor-forms-hubspotninja-forms-hubspotwpforms-hubspot

A · Safe

CVEs total5

Unpatched0

Last CVEJan 22, 2026

Plugin page Download

Safety Verdict

Is Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Safe to Use in 2026?

Generally Safe

Score 95/100

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 22, 2026Updated 2mo ago

Risk Assessment

The 'cf7-hubspot' plugin version 1.4.4 presents a mixed security posture. On the positive side, the static analysis reveals a commendable absence of direct entry points like AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication. Furthermore, the plugin demonstrates good practices with a high percentage of SQL queries using prepared statements and a significant portion of output being properly escaped. The taint analysis also indicates no critical or high severity unsanitized flows, which is a strong indicator of code quality in this regard. However, the plugin's vulnerability history is a significant concern. With a total of 5 known CVEs, all categorized as medium severity, and a history of diverse vulnerability types including SQL injection, CSRF, open redirect, and XSS, this plugin has a clear track record of security flaws. The fact that the last vulnerability was in 2026-01-22 suggests it is either actively maintained to patch issues, or the reported vulnerabilities are historical and have since been addressed, but the sheer number and variety of past issues warrant careful consideration.

Despite the absence of immediate, critical risks identified in the static analysis for this specific version, the historical vulnerability pattern strongly suggests a need for vigilance. The presence of file operations and external HTTP requests, while not inherently insecure, could be potential vectors if not handled with extreme care, especially given the plugin's past issues. The bundled Select2 library, while not flagged as outdated, is worth monitoring for potential vulnerabilities in its own right. In conclusion, while version 1.4.4 appears to have improved its direct attack surface and code hygiene compared to potentially earlier versions, the cumulative vulnerability history necessitates a risk-averse approach. Users should be aware of the past issues and ensure the plugin is updated to the latest version to mitigate any lingering or new undiscovered vulnerabilities.

Key Concerns

Past CVEs indicate a history of vulnerabilities
Vulnerability history includes SQL injection
Vulnerability history includes XSS
Vulnerability history includes Open Redirect
Vulnerability history includes CSRF
Vulnerability history includes Sensitive Data Exposure
2 file operations identified
2 external HTTP requests identified
Bundled library (Select2) identified

Vulnerabilities

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2026-24559medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Integration for Contact Form 7 HubSpot <= 1.4.3 - Authenticated (Subscriber+) Information Exposure

Jan 22, 2026 Patched in 1.4.4 (7d)

CVE-2025-68590medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Integration for Contact Form 7 HubSpot <= 1.4.2 - Authenticated (Administrator+) SQL Injection

Dec 25, 2025 Patched in 1.4.3 (12d)

CVE-2024-34756medium · 4.3Cross-Site Request Forgery (CSRF)

Integration for Contact Form 7 HubSpot <=1.3.1 - Cross-Site Request Forgery

May 14, 2024 Patched in 1.3.2 (7d)

CVE-2023-31095medium · 4.3URL Redirection to Untrusted Site ('Open Redirect')

Integration for Contact Form 7 HubSpot <= 1.2.8 - Open Redirect via state parameter

Apr 26, 2023 Patched in 1.2.9 (272d)

WF-cc1e9778-2860-4e3c-a2e4-28f10d585fed-cf7-hubspotmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks - Various Plugins (Various Versions) - Reflected Cross-Site Scripting

Aug 26, 2021 Patched in 1.2.0 (880d)

Code Analysis

Analyzed Mar 16, 2026

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Code Analysis

Dangerous Functions

Raw SQL Queries

29 prepared

Unescaped Output

105

336 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

81% prepared36 total queries

Output Escaping

76% escaped441 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

settings_page (includes\plugin-pages.php:1573)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 39

actionplugins_loadedcf7-hubspot.php:60

actioncfx_form_submittedcf7-hubspot.php:128

actionvxcf_entry_createdcf7-hubspot.php:129

actionvx_contact_createdcf7-hubspot.php:130

actionvx_callcenter_entry_createdcf7-hubspot.php:131

filterwpcf7_before_send_mailcf7-hubspot.php:133

actionfrm_after_create_entrycf7-hubspot.php:135

actionninja_forms_after_submissioncf7-hubspot.php:136

actionwpforms_process_entry_savecf7-hubspot.php:137

actionelementor_pro/forms/new_recordcf7-hubspot.php:139

actioninitcf7-hubspot.php:145

actionvx_cf_add_meta_boxincludes\crmperks-cf.php:10

actioncfx_add_meta_boxincludes\plugin-pages.php:35

actioncfx_form_entry_updatedincludes\plugin-pages.php:36

actioncfx_form_post_note_addedincludes\plugin-pages.php:37

actioncfx_form_pre_note_deletedincludes\plugin-pages.php:38

actioncfx_form_pre_trash_leadsincludes\plugin-pages.php:39

actioncfx_form_pre_restore_leadsincludes\plugin-pages.php:40

filteradmin_menuincludes\plugin-pages.php:52

filtervx_cf_meta_boxes_rightincludes\plugin-pages.php:53

actionadmin_noticesincludes\plugin-pages.php:54

filterplugin_action_linksincludes\plugin-pages.php:55

actionvxcf_entry_submit_btnincludes\plugin-pages.php:56

actionvx_cf7_post_note_addedincludes\plugin-pages.php:58

actionvx_cf7_pre_note_deletedincludes\plugin-pages.php:59

actionvx_cf7_pre_trash_leadsincludes\plugin-pages.php:60

actionvx_cf7_pre_restore_leadsincludes\plugin-pages.php:61

actionvx_cf7_entry_updatedincludes\plugin-pages.php:62

actionvx_contact_post_note_addedincludes\plugin-pages.php:64

actionvx_contact_pre_note_deletedincludes\plugin-pages.php:65

actionvx_contact_pre_trash_leadsincludes\plugin-pages.php:66

actionvx_contact_pre_restore_leadsincludes\plugin-pages.php:67

actionvx_contact_entry_updatedincludes\plugin-pages.php:68

filtervx_callcenter_entries_actionincludes\plugin-pages.php:70

filtervx_callcenter_bulk_actionsincludes\plugin-pages.php:71

filterplugin_row_metawp\crmperks-notices.php:16

filteradmin_footer_textwp\crmperks-notices.php:24

actionadmin_noticeswp\crmperks-notices.php:26

filterplugins_apiwp\crmperks-notices.php:28

Maintenance & Trust

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 20, 2026

PHP min version5.3

Downloads180K

Community Trust

Rating98/100

Number of ratings53

Active installs5K

Alternatives

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Alternatives

WPOP Contact Form 7 to Hubspot

wpop-contactform-hubspot

Add Contact Form 7 Data to Hubspot Contact lists.

200 No CVEs

Contact Form user to HubSpot Contacts

cf7-user-to-hubspot-contacts

Plugin sends Contact Form 7 (first name, last name, email, phone) to HubSpot CRM contact.

0 No CVEs

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

100

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs

Redirection for Contact Form 7

wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs

Developer Profile

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Developer Profile

CRM Perks

32 plugins · 105K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

349 days

View full developer profile

Detection Fingerprints

How We Detect Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cf7-hubspot/admin/css/admin.css/wp-content/plugins/cf7-hubspot/admin/js/admin.js/wp-content/plugins/cf7-hubspot/css/style.css/wp-content/plugins/cf7-hubspot/js/script.js

Script Paths

/wp-content/plugins/cf7-hubspot/admin/js/admin.js/wp-content/plugins/cf7-hubspot/js/script.js

Version Parameters

cf7-hubspot/admin/css/admin.css?ver=cf7-hubspot/admin/js/admin.js?ver=cf7-hubspot/css/style.css?ver=cf7-hubspot/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

vxcf-hubspot-settings

HTML Comments

Data Attributes

data-crmperks-plugin-id="cf7-hubspot"

JS Globals

vxcf_hubspot_scriptvxcf_hubspot_obj

FAQ