WP-Safety

Object Sync for Salesforce Security & Risk Analysis

wordpress.org/plugins/object-sync-for-salesforce

Object Sync for Salesforce maps and syncs data between Salesforce objects and WordPress objects.

500 active installs v2.2.13 PHP 7.2+ WP 6.5+ Updated Dec 12, 2025
crmsalesforcesync
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Object Sync for Salesforce Safe to Use in 2026?

Generally Safe

Score 100/100

Object Sync for Salesforce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The "object-sync-for-salesforce" plugin v2.2.13 exhibits a mixed security posture. While the absence of recorded CVEs and a clean taint analysis are positive indicators, significant concerns arise from its attack surface. All nine identified AJAX handlers lack authentication checks, presenting a direct pathway for unauthorized actions if any of these handlers are exploitable. Additionally, only two nonce checks are present across the entire plugin, which is insufficient for securing numerous AJAX endpoints. The SQL query practices are moderately secure with 41% using prepared statements, but the remaining queries might be susceptible to injection if not carefully constructed. The output escaping is strong with 78% properly handled, mitigating some cross-site scripting risks. The plugin's vulnerability history is a strong positive, suggesting a history of good security practices or diligent patching. However, the current static analysis reveals a substantial risk due to the large number of unprotected AJAX endpoints, which could be a significant target for attackers seeking to exploit potential logic flaws or vulnerabilities within these handlers. The strengths lie in the lack of critical vulnerabilities historically and in the taint analysis, but the unprotected AJAX handlers represent a clear and present danger that requires immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Insufficient nonce checks
  • SQL queries not always prepared
  • Bundled outdated jQuery
Vulnerabilities
None known

Object Sync for Salesforce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Object Sync for Salesforce Code Analysis

Dangerous Functions
0
Raw SQL Queries
20
14 prepared
Unescaped Output
189
681 escaped
Nonce Checks
2
Capability Checks
6
File Operations
1
External Requests
1
Bundled Libraries
1

Bundled Libraries

jQuery1.11.0

SQL Query Safety

41% prepared34 total queries

Output Escaping

78% escaped870 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
import_json_file (classes\class-object-sync-sf-admin.php:1977)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Object Sync for Salesforce Attack Surface

Entry Points9
Unprotected9

AJAX Handlers 9

authwp_ajax_get_salesforce_object_descriptionclasses\class-object-sync-sf-admin.php:273
authwp_ajax_get_salesforce_object_fieldsclasses\class-object-sync-sf-admin.php:274
authwp_ajax_get_wordpress_object_fieldsclasses\class-object-sync-sf-admin.php:275
authwp_ajax_push_to_salesforceclasses\class-object-sync-sf-admin.php:278
authwp_ajax_pull_from_salesforceclasses\class-object-sync-sf-admin.php:279
authwp_ajax_refresh_mapped_dataclasses\class-object-sync-sf-admin.php:280
authwp_ajax_clear_sfwp_cacheclasses\class-object-sync-sf-admin.php:281
authwp_ajax_delete_salesforce_api_versionclasses\class-object-sync-sf-admin.php:282
authwp_ajax_salesforce_pull_webhookclasses\class-object-sync-sf-salesforce-pull.php:224
WordPress Hooks 59
actionplugins_loadedclasses\class-object-sync-salesforce.php:254
actionplugins_loadedclasses\class-object-sync-salesforce.php:255
actionadmin_initclasses\class-object-sync-sf-activate.php:113
actionadmin_noticesclasses\class-object-sync-sf-admin-notice.php:77
filterplugin_action_linksclasses\class-object-sync-sf-admin.php:260
actionadmin_enqueue_scriptsclasses\class-object-sync-sf-admin.php:263
actionadmin_menuclasses\class-object-sync-sf-admin.php:266
actionadmin_initclasses\class-object-sync-sf-admin.php:267
actionadmin_initclasses\class-object-sync-sf-admin.php:268
actionadmin_post_post_fieldmapclasses\class-object-sync-sf-admin.php:269
actionadmin_post_delete_fieldmapclasses\class-object-sync-sf-admin.php:270
actionedit_user_profileclasses\class-object-sync-sf-admin.php:285
actionshow_user_profileclasses\class-object-sync-sf-admin.php:286
actionpersonal_options_updateclasses\class-object-sync-sf-admin.php:289
actionedit_user_profile_updateclasses\class-object-sync-sf-admin.php:290
actionaction_scheduler/migration_completeclasses\class-object-sync-sf-admin.php:304
actionadmin_post_delete_object_mapclasses\class-object-sync-sf-admin.php:307
actionadmin_post_post_object_mapclasses\class-object-sync-sf-admin.php:308
actionadmin_post_object_sync_for_salesforce_importclasses\class-object-sync-sf-admin.php:311
actionadmin_post_object_sync_for_salesforce_exportclasses\class-object-sync-sf-admin.php:312
actionplugins_loadedclasses\class-object-sync-sf-logging.php:107
filtercron_schedulesclasses\class-object-sync-sf-logging.php:117
filterwp_log_typesclasses\class-object-sync-sf-logging.php:118
filterwp_logging_should_we_pruneclasses\class-object-sync-sf-logging.php:119
filterwp_logging_prune_whenclasses\class-object-sync-sf-logging.php:120
filterwp_logging_prune_query_argsclasses\class-object-sync-sf-logging.php:121
filterwp_logging_post_type_argsclasses\class-object-sync-sf-logging.php:122
filterpre_wp_unique_post_slugclasses\class-object-sync-sf-logging.php:123
filterwp_logging_manage_logs_filteredclasses\class-object-sync-sf-logging.php:127
filtermanage_edit-wp_log_columnsclasses\class-object-sync-sf-logging.php:131
filtermanage_edit-wp_log_sortable_columnsclasses\class-object-sync-sf-logging.php:132
actionmanage_wp_log_posts_custom_columnclasses\class-object-sync-sf-logging.php:133
filterparse_queryclasses\class-object-sync-sf-logging.php:136
actionrestrict_manage_postsclasses\class-object-sync-sf-logging.php:137
actioninitclasses\class-object-sync-sf-mapping.php:402
filteraction_scheduler_queue_runner_batch_sizeclasses\class-object-sync-sf-queue.php:77
filteraction_scheduler_queue_runner_concurrent_batchesclasses\class-object-sync-sf-queue.php:78
actionrest_api_initclasses\class-object-sync-sf-rest.php:129
actionplugins_loadedclasses\class-object-sync-sf-salesforce-pull.php:192
filterobject_sync_for_salesforce_pull_option_legacy_keyclasses\class-object-sync-sf-salesforce-pull.php:236
actionplugins_loadedclasses\class-object-sync-sf-salesforce-push.php:145
actionum_user_registerclasses\class-object-sync-sf-salesforce-push.php:163
actionuser_registerclasses\class-object-sync-sf-salesforce-push.php:165
actionprofile_updateclasses\class-object-sync-sf-salesforce-push.php:167
actiondelete_userclasses\class-object-sync-sf-salesforce-push.php:168
actionsave_postclasses\class-object-sync-sf-salesforce-push.php:170
actionacf/save_postclasses\class-object-sync-sf-salesforce-push.php:173
actionadd_attachmentclasses\class-object-sync-sf-salesforce-push.php:176
actionedit_attachmentclasses\class-object-sync-sf-salesforce-push.php:177
actiondelete_attachmentclasses\class-object-sync-sf-salesforce-push.php:178
actioncreate_termclasses\class-object-sync-sf-salesforce-push.php:180
actionedit_termsclasses\class-object-sync-sf-salesforce-push.php:181
actiondelete_termclasses\class-object-sync-sf-salesforce-push.php:182
actioncomment_postclasses\class-object-sync-sf-salesforce-push.php:184
actionedit_commentclasses\class-object-sync-sf-salesforce-push.php:185
actiondelete_commentclasses\class-object-sync-sf-salesforce-push.php:186
actionsave_postclasses\class-object-sync-sf-salesforce-push.php:189
actionacf/save_postclasses\class-object-sync-sf-salesforce-push.php:192
actionadmin_initclasses\class-object-sync-sf-wordpress.php:106
Maintenance & Trust

Object Sync for Salesforce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 12, 2025
PHP min version7.2
Downloads45K

Community Trust

Rating100/100
Number of ratings13
Active installs500
Alternatives

Object Sync for Salesforce Alternatives

Object Data Sync for Salesforce Integration with WP, Woo, Gravity, WPForms, Ninja, CF7 & more

Object Data Sync for Salesforce Integration with WP, Woo, Gravity, WPForms, Ninja, CF7 & more

object-data-sync-for-salesforce

A
100

Automate data sync with our Salesforce Integration plugin. Supports integrations with WooCommerce, Gravity, Ninja, CF7, WPForms, Event Calendar & more

200 No CVEs
Salesforce Integration for WordPress

Salesforce Integration for WordPress

wp-salesforce

A
92

Streamline Lead Capture, User Sync, and CRM Integration Effortlessly with Salesforce Integration for WordPress.

40 No CVEs
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

wp-fusion-lite

A
96

WP Fusion Lite synchronizes your WordPress users with contact records in your CRM or marketing automation system.

5K 4 CVEs
WP Gravity Forms Salesforce

WP Gravity Forms Salesforce

gf-salesforce-crmperks

A
96

Gravity Forms Salesforce Add-on sends Gravity forms entries to salesforce CRM.

1K 3 CVEs
CiviCRM Member Sync

CiviCRM Member Sync

civicrm-wp-member-sync

A
100

Keep WordPress Users in sync with CiviCRM Memberships by granting either a Role or Capabilities to Users with that Membership.

800 No CVEs
Developer Profile

Object Sync for Salesforce Developer Profile

MinnPost

1 plugin · 500 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Object Sync for Salesforce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/object-sync-for-salesforce/css/admin.css/wp-content/plugins/object-sync-for-salesforce/css/admin.min.css/wp-content/plugins/object-sync-for-salesforce/js/admin.js/wp-content/plugins/object-sync-for-salesforce/js/admin.min.js/wp-content/plugins/object-sync-for-salesforce/js/object-sync-for-salesforce.js/wp-content/plugins/object-sync-for-salesforce/js/object-sync-for-salesforce.min.js/wp-content/plugins/object-sync-for-salesforce/js/settings.js/wp-content/plugins/object-sync-for-salesforce/js/settings.min.js
Script Paths
/wp-content/plugins/object-sync-for-salesforce/js/admin.js/wp-content/plugins/object-sync-for-salesforce/js/admin.min.js/wp-content/plugins/object-sync-for-salesforce/js/object-sync-for-salesforce.js/wp-content/plugins/object-sync-for-salesforce/js/object-sync-for-salesforce.min.js/wp-content/plugins/object-sync-for-salesforce/js/settings.js/wp-content/plugins/object-sync-for-salesforce/js/settings.min.js
Version Parameters
object-sync-for-salesforce/css/admin.css?ver=object-sync-for-salesforce/css/admin.min.css?ver=object-sync-for-salesforce/js/admin.js?ver=object-sync-for-salesforce/js/admin.min.js?ver=object-sync-for-salesforce/js/object-sync-for-salesforce.js?ver=object-sync-for-salesforce/js/object-sync-for-salesforce.min.js?ver=object-sync-for-salesforce/js/settings.js?ver=object-sync-for-salesforce/js/settings.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
object-sync-salesforce-adminosf-settings-page
Data Attributes
data-object-sync-salesforce-noncedata-object-sync-salesforce-ajax-url
JS Globals
object_sync_salesforce_admin_paramsObjectSyncSalesforce
REST Endpoints
/wp-json/object-sync-for-salesforce/v1/objects
FAQ

Frequently Asked Questions about Object Sync for Salesforce