Does Web to SugarCRM Lead have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Web to SugarCRM Lead compatible with WordPress 6.7.5?

According to WordPress.org data, Web to SugarCRM Lead 1.0.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is Web to SugarCRM Lead updated?

Web to SugarCRM Lead was last updated on Dec 19, 2025. Frequent updates are generally a positive security signal.

What is Web to SugarCRM Lead's security score?

Web to SugarCRM Lead has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Web to SugarCRM Lead Security & Risk Analysis

wordpress.org/plugins/web-to-sugarcrm-lead

Easily submit custom form data to your SugarCRM Lead module with a widget-based form. Fast, hassle-free, and 100% free SugarCRM lead generation.

0 active installs v1.0.1 PHP + WP 3.4+ Updated Dec 19, 2025

sugarcrmsugarcrm-integrationweb-to-sugarcrmweb-to-lead-sugarcrmwordpress-to-sugarcrm

A · Safe

CVEs total1

Unpatched0

Last CVEDec 20, 2025

Plugin page Download

Safety Verdict

Is Web to SugarCRM Lead Safe to Use in 2026?

Generally Safe

Score 99/100

Web to SugarCRM Lead has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Dec 20, 2025Updated 4mo ago

Risk Assessment

The web-to-sugarcrm-lead plugin v1.0.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and escaping the vast majority of its output, which significantly mitigates common injection vulnerabilities. The absence of bundled libraries and a single external HTTP request are also favorable indicators. However, concerns arise from the presence of the `unserialize` dangerous function, which can lead to remote code execution if improperly handled. Furthermore, the taint analysis reveals six high-severity flows with unsanitized paths, indicating potential for vulnerabilities such as path traversal or insecure file handling. The plugin's attack surface includes 13 AJAX handlers, with three lacking authentication checks, creating an open door for unauthorized actions. While the vulnerability history shows only one past medium-severity CVE related to CSRF, and no currently unpatched vulnerabilities, the presence of past issues and the identified code signals suggest a need for caution. The plugin has strengths in its SQL and output handling but weaknesses in authentication on AJAX endpoints and the risky use of `unserialize` along with critical taint flows.

Key Concerns

3 AJAX handlers without auth checks
6 high severity flows with unsanitized paths
1 dangerous function: unserialize
0 capability checks
1 known CVE (medium severity)

Vulnerabilities

1 published

Web to SugarCRM Lead Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-13361medium · 4.3Cross-Site Request Forgery (CSRF)

Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion

Dec 20, 2025 Patched in 1.0.1 (1d)

Version History

Web to SugarCRM Lead Release Timeline

v1.0.1Current

v1.0.01 CVE

CVE-2025-13361

Code Analysis

Analyzed Apr 16, 2026

Web to SugarCRM Lead Code Analysis

Dangerous Functions

Raw SQL Queries

50 prepared

Unescaped Output

426 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$sObj = unserialize($values);wpscl-Common-functions.php:17

unserialize$sObj = unserialize($values);wpscl-Common-functions.php:26

unserialize$sObj = unserialize($values);wpscl-Common-functions.php:36

SQL Query Safety

100% prepared50 total queries

Output Escaping

99% escaped429 total outputs

Data Flows · Security

6 unsanitized

Data Flow Analysis

12 flows6 with unsanitized paths

search_box (wpscl-Fields_map_table.php:135)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Web to SugarCRM Lead Attack Surface

Entry Points14

Unprotected3

AJAX Handlers 13

authwp_ajax_WPSCL_save_custom_labelwpscl-admin-functions.php:8

authwp_ajax_WPSCL_save_custom_orderwpscl-admin-functions.php:34

authwp_ajax_WPSCL_Grid_Ajax_Actionwpscl-admin-functions.php:62

authwp_ajax_WidgetFormwpscl-admin-functions.php:123

noprivwp_ajax_WidgetFormwpscl-admin-functions.php:124

authwp_ajax_WPSCL_saveConfigwpscl-admin-functions.php:299

authwp_ajax_WPSCL_LeadFieldSyncwpscl-admin-functions.php:345

authwp_ajax_WPSCL_GeneralMessagesSavewpscl-admin-functions.php:375

authwp_ajax_WPSCL_save_custom_csswpscl-admin-functions.php:397

authwp_ajax_WPSCL_GeneralSettingSavewpscl-admin-functions.php:417

authwp_ajax_WPSCL_Custom_Field_Savewpscl-admin-functions.php:450

authwp_ajax_WPSCL_Custom_Field_Deletewpscl-admin-functions.php:495

authwp_ajax_WPSCL_TestSugarConnwpscl-admin-functions.php:746

Shortcodes 1

[WPSCL_CRM_Lead_Form] wpscl-Widget.php:182

WordPress Hooks 7

actionwidgets_initwpscl-Widget.php:180

filterupload_dirwpscl-admin-functions.php:168

filterwp_mail_content_typewpscl-admin-functions.php:261

actionwp_enqueue_scriptswpscl.conf.php:49

actionadmin_initwpscl.conf.php:69

actionadmin_footerwpscl.conf.php:110

actionadmin_menuwpscl.php:26

Maintenance & Trust

Web to SugarCRM Lead Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 19, 2025

PHP min version

Downloads544

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Web to SugarCRM Lead Alternatives

Sync SugarCRM Users

sync-sugarcrm-users

Sync SugarCRM Users to WordPress and vice versa

10 No CVEs

Users to CRM Contacts

users-to-crm-contacts

Integrate WordPress with SugarCRM/SuiteCRM to sync user data, simplify lead management, and improve user tracking

10 No CVEs

Simple Woo to SugarCRM

simple-woo-to-sugarcrm

Automatically send WooCommerce customers to your SugarCRM dashboard as leads.

0 No CVEs

Developer Profile

Web to SugarCRM Lead Developer Profile

Dipesh Patel

3 plugins · 110 total installs

trust score

Avg Security Score

97/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Web to SugarCRM Lead

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/web-to-sugarcrm-lead/js/wpscl-admin.min.js/wp-content/plugins/web-to-sugarcrm-lead/wpscl-captcha.php/wp-content/plugins/web-to-sugarcrm-lead/image/reload_captcha.png

Script Paths

https://www.google.com/recaptcha/api.js

HTML / DOM Fingerprints

CSS Classes

LeadFormMsgnonHiddenLeadFormRequiredrequired_clsWPSCL_captchaWPSCL_captcha_imgWPSCL_repload_captchag-recaptcha

Data Attributes

data-sitekey

JS Globals

obj_captchaWPSCL_getHTMLElement

Shortcode Output

<div class='LeadFormMsg'>Web To SugarCRM Lead Form</div><form id='WPSCL_Widget_Form' method='POST' enctype='multipart/form-data'><input type='hidden' value='' name='_nonce' />

FAQ