Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Security & Risk Analysis

Send Contact Form 7, WPforms, Elementor, Ninja Forms, Contact Form Entries Plugin and many other contact form submissions to salesforce.

2K active installs v1.4.8 PHP 5.3+ WP 4.7+ Updated Jan 20, 2026

contact-form-7-salesforceelementor-forms-salesforcesalesforcewordpress-salesforcewpforms-salesforce

A · Safe

CVEs total5

Unpatched0

Last CVEDec 8, 2025

Plugin page Download

Safety Verdict

Is Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Safe to Use in 2026?

Generally Safe

Score 92/100

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 8, 2025Updated 2mo ago

Risk Assessment

The "cf7-salesforce" plugin v1.4.8 exhibits a mixed security posture. On the positive side, the static analysis reveals a clean attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication or permission checks. The code also shows a good practice of using prepared statements for a majority of its SQL queries and a high percentage of properly escaped output. Nonce and capability checks are also present, indicating an awareness of WordPress security best practices.

However, there are several areas of concern. The taint analysis identified two high-severity flows with unsanitized paths, which could potentially lead to local file inclusion or other path traversal vulnerabilities if exploited. Furthermore, the plugin has a history of 5 known CVEs, with one still high severity and four medium. The types of past vulnerabilities, including Missing Authorization, Exposure of Sensitive Information, CSRF, Open Redirect, and XSS, suggest recurring patterns of input validation and authorization weaknesses. While there are no currently unpatched CVEs, the historical prevalence of these issues warrants caution. The presence of bundled libraries, specifically Select2, also introduces a potential risk if that library itself has known vulnerabilities that are not addressed within the plugin's version.

In conclusion, while the plugin has made improvements in its attack surface and output escaping, the high-severity taint flows and a history of diverse and critical vulnerability types indicate that it is not entirely secure. The organization should closely monitor for any new vulnerabilities and consider further hardening of input sanitization and authorization mechanisms, especially in relation to the identified taint flows. The presence of a high-severity past CVE, even if not currently unpatched, suggests a propensity for such issues.

Key Concerns

High severity taint flows found
History of 1 high severity CVE
History of 4 medium severity CVEs
Bundled library (Select2) with potential risks

Vulnerabilities

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-67468medium · 4.3Missing Authorization

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.6 - Missing Authorization

Dec 8, 2025 Patched in 1.4.7 (5d)

CVE-2025-4659medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure

May 29, 2025 Patched in 1.4.5 (1d)

CVE-2024-34755medium · 4.3Cross-Site Request Forgery (CSRF)

Integration for Contact Form 7 and Salesforce <= <=1.3.9 - Cross-Site Request Forgery

May 14, 2024 Patched in 1.4.0 (7d)

CVE-2023-37982high · 7.1URL Redirection to Untrusted Site ('Open Redirect')

Integration for Contact Form 7 and Salesforce <= 1.3.3 - Open Redirect

Jul 13, 2023 Patched in 1.3.4 (194d)

WF-cc1e9778-2860-4e3c-a2e4-28f10d585fed-cf7-salesforcemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks - Various Plugins (Various Versions) - Reflected Cross-Site Scripting

Aug 26, 2021 Patched in 1.2.6 (880d)

Code Analysis

Analyzed Mar 16, 2026

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Code Analysis

Dangerous Functions

Raw SQL Queries

27 prepared

Unescaped Output

410 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

77% prepared35 total queries

Output Escaping

83% escaped492 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

settings_page (includes\plugin-pages.php:1510)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 39

actionplugins_loadedcf7-salesforce.php:58

actioncfx_form_submittedcf7-salesforce.php:99

actionvxcf_entry_createdcf7-salesforce.php:100

actionvx_contact_createdcf7-salesforce.php:101

actionvx_callcenter_entry_createdcf7-salesforce.php:102

filterwpcf7_before_send_mailcf7-salesforce.php:104

actionfrm_after_create_entrycf7-salesforce.php:106

actionninja_forms_after_submissioncf7-salesforce.php:107

actionwpforms_process_entry_savecf7-salesforce.php:108

actionelementor_pro/forms/new_recordcf7-salesforce.php:110

actioninitcf7-salesforce.php:116

actionvx_cf_add_meta_boxincludes\crmperks-cf.php:10

actioncfx_add_meta_boxincludes\plugin-pages.php:35

actioncfx_form_entry_updatedincludes\plugin-pages.php:36

actioncfx_form_post_note_addedincludes\plugin-pages.php:37

actioncfx_form_pre_note_deletedincludes\plugin-pages.php:38

actioncfx_form_pre_trash_leadsincludes\plugin-pages.php:39

actioncfx_form_pre_restore_leadsincludes\plugin-pages.php:40

filteradmin_menuincludes\plugin-pages.php:52

filtervx_cf_meta_boxes_rightincludes\plugin-pages.php:53

actionadmin_noticesincludes\plugin-pages.php:54

filterplugin_action_linksincludes\plugin-pages.php:55

actionvxcf_entry_submit_btnincludes\plugin-pages.php:56

actionvx_cf7_post_note_addedincludes\plugin-pages.php:58

actionvx_cf7_pre_note_deletedincludes\plugin-pages.php:59

actionvx_cf7_pre_trash_leadsincludes\plugin-pages.php:60

actionvx_cf7_pre_restore_leadsincludes\plugin-pages.php:61

actionvx_cf7_entry_updatedincludes\plugin-pages.php:62

actionvx_contact_post_note_addedincludes\plugin-pages.php:64

actionvx_contact_pre_note_deletedincludes\plugin-pages.php:65

actionvx_contact_pre_trash_leadsincludes\plugin-pages.php:66

actionvx_contact_pre_restore_leadsincludes\plugin-pages.php:67

actionvx_contact_entry_updatedincludes\plugin-pages.php:68

filtervx_callcenter_entries_actionincludes\plugin-pages.php:70

filtervx_callcenter_bulk_actionsincludes\plugin-pages.php:71

filterplugin_row_metawp\crmperks-notices.php:16

filteradmin_footer_textwp\crmperks-notices.php:30

actionadmin_noticeswp\crmperks-notices.php:32

filterplugins_apiwp\crmperks-notices.php:34

Maintenance & Trust

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 20, 2026

PHP min version5.3

Downloads77K

Community Trust

Rating100/100

Number of ratings60

Active installs2K

Alternatives

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Alternatives

Account Engagement

pardot

Integrate Account Engagement with WordPress: easily track visitors, embed forms and dynamic content in pages and posts, or use the forms or dynamic co …

2K 1 CVE

WP Gravity Forms Salesforce

gf-salesforce-crmperks

Gravity Forms Salesforce Add-on sends Gravity forms entries to salesforce CRM.

1K 3 CVEs

Object Sync for Salesforce

object-sync-for-salesforce

100

Object Sync for Salesforce maps and syncs data between Salesforce objects and WordPress objects.

500 No CVEs

Object Data Sync for Salesforce Integration with WP, Woo, Gravity, WPForms, Ninja, CF7 & more

object-data-sync-for-salesforce

100

Automate data sync with our Salesforce Integration plugin. Supports integrations with WooCommerce, Gravity, Ninja, CF7, WPForms, Event Calendar & more

200 No CVEs

Integration for WooCommerce and Salesforce

woo-salesforce-plugin-crm-perks

WooCommerce Salesforce Plugin allows you to quickly integrate WooCommerce Orders with Salesforce CRM.

200 2 CVEs

Developer Profile

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Developer Profile

CRM Perks

32 plugins · 105K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

339 days

View full developer profile

Detection Fingerprints

How We Detect Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cf7-salesforce/admin/css/crmperks-admin.css/wp-content/plugins/cf7-salesforce/admin/js/crmperks-admin.js/wp-content/plugins/cf7-salesforce/css/style.css/wp-content/plugins/cf7-salesforce/js/script.js

Script Paths

/wp-content/plugins/cf7-salesforce/admin/js/crmperks-admin.js/wp-content/plugins/cf7-salesforce/js/script.js

Version Parameters

cf7-salesforce/css/style.css?ver=cf7-salesforce/js/script.js?ver=cf7-salesforce/admin/css/crmperks-admin.css?ver=cf7-salesforce/admin/js/crmperks-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

crmperks-salesforce-form-wrapper

HTML Comments

Data Attributes

data-crm-perks-salesforce-nonce

JS Globals

vxcf_sales

FAQ