WP-Safety

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Security & Risk Analysis

wordpress.org/plugins/cf7-zoho

Send Contact Form 7, WPforms, Elementor, Formidable, Ninja Forms and many other contact form submissions to zoho CRM and Bigin.

3K active installs v1.3.3 PHP 5.3+ WP 3.8+ Updated Feb 28, 2026
contact-form-7-zoho-crmformidable-zoho-crmninja-forms-zoho-crmwordpress-zoho-crm-pluginwpforms-zoho
90
A · Safe
CVEs total5
Unpatched0
Last CVEJun 16, 2025
Plugin page Download
Safety Verdict

Is WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Safe to Use in 2026?

Generally Safe

Score 90/100

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jun 16, 2025Updated 1mo ago
Risk Assessment

The 'cf7-zoho' plugin version 1.3.3 presents a mixed security posture. While the static analysis indicates a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks, there are concerning signals within the code itself. The presence of the `unserialize` function, a known source of deserialization vulnerabilities, without explicit checks for untrusted input is a significant red flag. Although no critical or high severity taint flows were found, this function's usage could potentially be exploited if data intended for serialization is manipulated by an attacker. Furthermore, while a majority of SQL queries use prepared statements and a good percentage of output is properly escaped, the remaining portions suggest potential for SQL injection and cross-site scripting vulnerabilities if not handled carefully in all cases.

The plugin's vulnerability history is a major concern, with five known CVEs recorded, including one critical, one high, and three medium. The types of past vulnerabilities (Deserialization of Untrusted Data, SQL Injection, CSRF, XSS) align with the types of weaknesses that could be introduced by the identified code signals. The fact that the last vulnerability was dated in the near future (2025-06-16) suggests a pattern of past security flaws, even if none are currently marked as unpatched. This history indicates a need for diligent review and patching of any future discovered vulnerabilities.

In conclusion, while the plugin has a small attack surface and shows some good practices like the use of prepared statements and nonces, the presence of `unserialize` and a history of serious vulnerabilities necessitate caution. The code signals and historical data suggest potential for significant security issues if not addressed proactively. Continued vigilance and code auditing are recommended.

Key Concerns

  • Presence of dangerous function: unserialize
  • Known CVEs: 5 total (1 critical, 1 high, 3 medium)
  • SQL queries not using prepared statements (24%)
  • Output escaping not properly handled (24%)
Vulnerabilities
5

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
2 CVEs in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2025-49330critical · 9.8Deserialization of Untrusted Data

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.3.0 - Unauthenticated PHP Object Injection

Jun 16, 2025 Patched in 1.3.1 (10d)
CVE-2023-2527high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 - Authenticated (Admin+) SQL Injection

May 22, 2023 Patched in 1.2.4 (246d)
CVE-2023-25976medium · 4.3Cross-Site Request Forgery (CSRF)

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.2 - Cross-Site Request Forgery via settings_page function

Feb 22, 2023 Patched in 1.2.3 (335d)
WF-cc1e9778-2860-4e3c-a2e4-28f10d585fed-cf7-zohomedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks - Various Plugins (Various Versions) - Reflected Cross-Site Scripting

Aug 26, 2021 Patched in 1.1.9 (880d)
WF-c4a649b0-d5b2-4e4c-833c-01ecf12611a5-cf7-zohomedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.1.7 - Cross-Site Scripting

Aug 25, 2021 Patched in 1.1.8 (881d)
Code Analysis
Analyzed Mar 16, 2026

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Code Analysis

Dangerous Functions
1
Raw SQL Queries
8
25 prepared
Unescaped Output
102
332 escaped
Nonce Checks
18
Capability Checks
24
File Operations
2
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$val=unserialize($val, array('allowed_classes' => false));cf7-zoho.php:392

Bundled Libraries

Select2

SQL Query Safety

76% prepared33 total queries

Output Escaping

76% escaped434 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
setup_plugin (includes\plugin-pages.php:499)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 39
actionplugins_loadedcf7-zoho.php:59
actioncfx_form_submittedcf7-zoho.php:100
actionvxcf_entry_createdcf7-zoho.php:101
actionvx_contact_createdcf7-zoho.php:102
actionvx_callcenter_entry_createdcf7-zoho.php:103
actionwpcf7_mail_sentcf7-zoho.php:107
actionfrm_after_create_entrycf7-zoho.php:108
actionninja_forms_after_submissioncf7-zoho.php:109
actionwpforms_process_entry_savecf7-zoho.php:110
actionelementor_pro/forms/new_recordcf7-zoho.php:112
actioninitcf7-zoho.php:116
actionvx_cf_add_meta_boxincludes\crmperks-cf.php:10
actioncfx_add_meta_boxincludes\plugin-pages.php:35
actioncfx_form_entry_updatedincludes\plugin-pages.php:36
actioncfx_form_post_note_addedincludes\plugin-pages.php:37
actioncfx_form_pre_note_deletedincludes\plugin-pages.php:38
actioncfx_form_pre_trash_leadsincludes\plugin-pages.php:39
actioncfx_form_pre_restore_leadsincludes\plugin-pages.php:40
filteradmin_menuincludes\plugin-pages.php:52
filtervx_cf_meta_boxes_rightincludes\plugin-pages.php:53
actionadmin_noticesincludes\plugin-pages.php:54
filterplugin_action_linksincludes\plugin-pages.php:55
actionvxcf_entry_submit_btnincludes\plugin-pages.php:56
actionvx_cf7_post_note_addedincludes\plugin-pages.php:58
actionvx_cf7_pre_note_deletedincludes\plugin-pages.php:59
actionvx_cf7_pre_trash_leadsincludes\plugin-pages.php:60
actionvx_cf7_pre_restore_leadsincludes\plugin-pages.php:61
actionvx_cf7_entry_updatedincludes\plugin-pages.php:62
actionvx_contact_post_note_addedincludes\plugin-pages.php:64
actionvx_contact_pre_note_deletedincludes\plugin-pages.php:65
actionvx_contact_pre_trash_leadsincludes\plugin-pages.php:66
actionvx_contact_pre_restore_leadsincludes\plugin-pages.php:67
actionvx_contact_entry_updatedincludes\plugin-pages.php:68
filtervx_callcenter_entries_actionincludes\plugin-pages.php:70
filtervx_callcenter_bulk_actionsincludes\plugin-pages.php:71
filterplugin_row_metawp\crmperks-notices.php:16
filteradmin_footer_textwp\crmperks-notices.php:30
actionadmin_noticeswp\crmperks-notices.php:32
filterplugins_apiwp\crmperks-notices.php:34
Maintenance & Trust

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 28, 2026
PHP min version5.3
Downloads90K

Community Trust

Rating100/100
Number of ratings44
Active installs3K
Alternatives

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Alternatives

Integration for Zoho CRM and Zoho Bigin – Contact Form 7, WPForms, Elementor, Gravity Forms and More

Integration for Zoho CRM and Zoho Bigin – Contact Form 7, WPForms, Elementor, Gravity Forms and More

integrate-any-form-with-zoho-crm

A
100

Connect Zoho CRM and Zoho Bigin. Create Leads, Contacts, Accounts, Deals, and Pipelines from any form submission.

50 No CVEs
Developer Profile

WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin Developer Profile

CRM Perks

32 plugins · 105K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
349 days
View full developer profile
Detection Fingerprints

How We Detect WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-zoho/assets/css/main.css/wp-content/plugins/cf7-zoho/assets/js/main.js/wp-content/plugins/cf7-zoho/assets/js/vendor/jquery.validate.min.js/wp-content/plugins/cf7-zoho/assets/js/vendor/sweetalert.min.js/wp-content/plugins/cf7-zoho/admin/assets/css/admin.css/wp-content/plugins/cf7-zoho/admin/assets/js/admin.js
Script Paths
/wp-content/plugins/cf7-zoho/assets/js/main.js/wp-content/plugins/cf7-zoho/assets/js/vendor/jquery.validate.min.js/wp-content/plugins/cf7-zoho/assets/js/vendor/sweetalert.min.js/wp-content/plugins/cf7-zoho/admin/assets/js/admin.js
Version Parameters
cf7-zoho/assets/css/main.css?ver=cf7-zoho/assets/js/main.js?ver=cf7-zoho/assets/js/vendor/jquery.validate.min.js?ver=cf7-zoho/assets/js/vendor/sweetalert.min.js?ver=cf7-zoho/admin/assets/css/admin.css?ver=cf7-zoho/admin/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
cf7-zoho-admin-wrap
Data Attributes
data-crmperks-plugin-iddata-crmperks-slug
JS Globals
vxcf_zoho_data
FAQ

Frequently Asked Questions about WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin