[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEAEjjYMUZE68JcLKXAaQCYMtY_Ew2WQJ8mB9PBXiim0":3,"$f5TSvyGJKeWPN6Y8TtjCTjVOd_9799XAffsbFUdLhiw8":623,"$ff99RVNzQcMk4QM2O8_CcncttFbJ9bWIyBT19V_QgMbM":626},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":47,"crawl_stats":36,"alternatives":54,"analysis":115,"fingerprints":577},"web-to-sugarcrm-lead","Web to SugarCRM Lead","1.0.1","Dipesh Patel","https:\u002F\u002Fprofiles.wordpress.org\u002Fdipesh_patel\u002F","\u003Cp>\u003Cstrong>This plugin will provide a Widget Form anywhere you want for easy, fast & hassle-free SugarCRM Leads.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No license fees, 100% FREE, No Ads, No BloatWares\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FAvmJXsbojog?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>Web to SugarCRM Lead plugin is simple yet advanced, easy & one-time setup solution for your business needs. Plugin will dynamically generate a Lead-form on a Widget based on your choices using fields which are mapped to your SugarCRM Lead module. You can change the Order & Label of the field any time you want. \u003Cstrong>Now convert your website traffic\u002Fvisitors into business Leads\u003C\u002Fstrong>. It was never that easy before.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Quick Setup: Get started in just 2 minutes.  \u003C\u002Fli>\n\u003Cli>No HTML Knowledge Required: Build forms effortlessly without any HTML expertise.\u003C\u002Fli>\n\u003Cli>Intuitive Interface: Create forms easily with a user-friendly interface.\u003C\u002Fli>\n\u003Cli>Dynamic Generation: Forms adapt dynamically based on your Lead module fields.\u003C\u002Fli>\n\u003Cli>Simple Management: Easily oversee and maintain your forms.\u003C\u002Fli>\n\u003Cli>Customizable Hidden Fields: Include hidden fields with any desired value, and modify them as needed for each lead form.\u003C\u002Fli>\n\u003Cli>Mandatory Field Marking: Designate any field as mandatory for form completion.\u003C\u002Fli>\n\u003Cli>Flexible Message Editing: Customize success, failure, and error messages according to your preferences.\u003C\u002Fli>\n\u003Cli>User\u002FVisitor Remote Address Recording: Record user\u002Fvisitor remote addresses for valuable data insights.\u003C\u002Fli>\n\u003Cli>File Attachment Support: Attach unlimited files to each lead for comprehensive information sharing via email after form submission.\u003C\u002Fli>\n\u003Cli>Email Notifications: Receive email notifications for every lead generated.\u003C\u002Fli>\n\u003Cli>Submission Page Redirection: Redirect users to specific pages upon form submission.\u003C\u002Fli>\n\u003Cli>Custom CSS Styling: Personalize lead forms with custom CSS styles.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>External Services\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Google reCAPTCHA:\n\u003Cul>\n\u003Cli>Purpose: Used for spam protection on the forms.\u003C\u002Fli>\n\u003Cli>Service URL: https:\u002F\u002Fwww.google.com\u002Frecaptcha\u003C\u002Fli>\n\u003Cli>Privacy Policy: https:\u002F\u002Fpolicies.google.com\u002Fprivacy\u003C\u002Fli>\n\u003Cli>Terms of Service: https:\u002F\u002Fpolicies.google.com\u002Fterms\u003C\u002Fli>\n\u003Cli>Data Transmission: When visitors submit the form, their data may be verified via Google’s reCAPTCHA to prevent spam submissions. No other personal data is shared with Google.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Source Code\u003C\u002Fh3>\n\u003Cp>The source code for the minified JavaScript files is available in the ‘js\u002Fsrc\u002F’ directory of the plugin.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Ensure that the configured user has sufficient rights to fetch and save data into SugarCRM using the REST API.\u003C\u002Fli>\n\u003Cli>The widget can be utilized only once per page. If it appears more than once on a single page, it will not function properly.\u003C\u002Fli>\n\u003Cli>Essential: Save your SugarCRM URL, username, and password. Without this information, the plugin will not operate.\u003C\u002Fli>\n\u003Cli>For the ‘Pass User Remote Address with Every Lead’ function to work, you need to create a custom field in your SugarCRM lead module called ‘lead_remote_ip’.\u003C\u002Fli>\n\u003Cli>Proceed to make the field hidden and input its value in the Widget arguments on the Widgets page. This feature can be optimized to determine the source from which the lead is generated on your website.\u003C\u002Fli>\n\u003C\u002Fol>\n","Easily submit custom form data to your SugarCRM Lead module with a widget-based form. Fast, hassle-free, and 100% free SugarCRM lead generation.",0,544,"2025-12-19T09:19:00.000Z","6.7.5","3.4","",[18,19,20,21,22],"sugarcrm","sugarcrm-integration","web-to-sugarcrm","web-to-lead-sugarcrm","wordpress-to-sugarcrm","https:\u002F\u002Foffshoreevolution.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fweb-to-sugarcrm-lead.1.0.1.zip",99,1,"2025-12-20 14:22:10","2026-04-16T10:56:18.058Z","no_bundle",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":6,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":26,"patch_diff_files":45,"patch_trac_url":36,"research_status":36,"research_verified":46,"research_rounds_completed":11,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":46,"poc_model_used":36,"poc_verification_depth":36},"CVE-2025-13361","web-to-sugarcrm-lead-cross-site-request-forgery-to-custom-field-deletion","Web to SugarCRM Lead \u003C= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion","The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.0.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-12-21 03:20:06",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb7c54b5d-ad73-44f1-afdb-01136ec0b9ae?source=api-prod",[],false,{"slug":48,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":50,"avg_security_score":51,"avg_patch_time_days":26,"trust_score":52,"computed_at":53},"dipesh_patel",3,110,97,98,"2026-05-19T21:19:58.655Z",[55,77,95],{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":63,"downloaded":64,"rating":65,"num_ratings":26,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":16,"tags":69,"homepage":74,"download_link":75,"security_score":76,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"sync-sugarcrm-users","Sync SugarCRM Users","2.3","sukum","https:\u002F\u002Fprofiles.wordpress.org\u002Fsukum\u002F","\u003Cp>This plugin pulls the user details from a given SugarCRM URL and if there are no corresponding users creates users in WordPress.\u003C\u002Fp>\n\u003Cp>Similarly it allows the user to sync selected WordPress users to SugarCRM as Accounts\u002FContacts\u002FUsers.\u003C\u002Fp>\n\u003Cp>Admin is logged in to SugarCRM transparently and can manage SugarCRM from WordPress.\u003C\u002Fp>\n\u003Cp>If ‘auto sync’ is checked, a user created in wordpress is automatically synced to SugarCRM as Accounts\u002FContacts\u002FUsers.\u003C\u002Fp>\n","Sync SugarCRM Users to WordPress and vice versa",10,2820,100,"2016-05-21T17:17:00.000Z","4.5.33","2.6",[70,71,72,18,73],"accounts","contacts","crm","users","http:\u002F\u002Fsukum.net\u002Fsync-sugarcrm-users\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsync-sugarcrm-users.2.3.zip",85,{"slug":78,"name":79,"version":80,"author":7,"author_profile":8,"description":81,"short_description":82,"active_installs":63,"downloaded":83,"rating":11,"num_ratings":11,"last_updated":84,"tested_up_to":14,"requires_at_least":85,"requires_php":86,"tags":87,"homepage":16,"download_link":93,"security_score":94,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"users-to-crm-contacts","Users to CRM Contacts","1.6","\u003Cp>This plugin integrates your WordPress site with SugarCRM\u002FSuiteCRM, enabling smooth data exchange between your website users and SugarCRM\u002FSuiteCRM contacts.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Automatically sync WordPress users to SugarCRM\u002FSuiteCRM.\u003Cbr \u002F>\n– Map user meta fields to SugarCRM\u002FSuiteCRM contact fields.\u003Cbr \u002F>\n– Create and update SugarCRM\u002FSuiteCRM contacts directly from WordPress.\u003Cbr \u002F>\n– Handle duplicate records with robust conflict management.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Use Cases:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Simplify lead management by syncing website registrations to SugarCRM\u002FSuiteCRM.\u003Cbr \u002F>\n– Update SugarCRM\u002FSuiteCRM contacts when users modify their profiles.\u003Cbr \u002F>\n– Avoid duplicate records with a seamless email-based search.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why Use This Plugin?\u003C\u002Fstrong>\u003Cbr \u002F>\nWith this plugin, you can automate your workflow and enhance your CRM’s usability by keeping your user data in sync with SugarCRM\u002FSuiteCRM.\u003C\u002Fp>\n","Integrate WordPress with SugarCRM\u002FSuiteCRM to sync user data, simplify lead management, and improve user tracking",2685,"2024-12-15T07:23:00.000Z","5.6","7.4",[88,89,90,91,92],"synchronize-wp-users-with-sugarcrm-suitecrm","synchronize-wp-users-with-suitecrm","wordpress-users-to-crm-contacts","wordpress-with-crm","wp-users","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fusers-to-crm-contacts.1.6.zip",92,{"slug":96,"name":97,"version":98,"author":99,"author_profile":100,"description":101,"short_description":102,"active_installs":11,"downloaded":103,"rating":11,"num_ratings":11,"last_updated":104,"tested_up_to":105,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":16,"download_link":113,"security_score":76,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":114},"simple-woo-to-sugarcrm","Simple Woo to SugarCRM","1.0","natespring92","https:\u002F\u002Fprofiles.wordpress.org\u002Fnatespring92\u002F","\u003Cp>Automatically send WooCommerce customers to your SugarCRM dashboard as leads after they check out. This is a great way to avoid services like Zapier.\u003C\u002Fp>\n","Automatically send WooCommerce customers to your SugarCRM dashboard as leads.",836,"2020-07-07T03:21:00.000Z","5.4.19","5.1","7.1",[109,110,18,111,112],"integration","sugar","woo","woocommerce","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-woo-to-sugarcrm.zip","2026-03-15T15:16:48.613Z",{"attackSurface":116,"codeSignals":202,"taintFlows":228,"riskAssessment":561,"analyzedAt":576},{"hooks":117,"ajaxHandlers":151,"restRoutes":195,"shortcodes":196,"cronEvents":200,"entryPointCount":201,"unprotectedCount":49},[118,124,130,134,139,143,146],{"type":119,"name":120,"callback":121,"file":122,"line":123},"action","widgets_init","WPSCL_Lead_Widget_init","wpscl-Widget.php",180,{"type":125,"name":126,"callback":127,"file":128,"line":129},"filter","upload_dir","WPSCL_Change_Upload_Dir","wpscl-admin-functions.php",168,{"type":125,"name":131,"callback":132,"file":128,"line":133},"wp_mail_content_type","WPSCL_set_mail_contenttype",261,{"type":119,"name":135,"callback":136,"file":137,"line":138},"wp_enqueue_scripts","WPSCL_frontend_script_load","wpscl.conf.php",49,{"type":119,"name":140,"callback":141,"file":137,"line":142},"admin_init","WPSCL_PluginStyleJS",69,{"type":119,"name":144,"callback":145,"file":137,"line":50},"admin_footer","WPSCL_HaleFooterHTML",{"type":119,"name":147,"callback":148,"file":149,"line":150},"admin_menu","WPSCL_CreateMenu","wpscl.php",26,[152,157,161,165,169,171,174,177,180,183,186,189,192],{"action":153,"nopriv":46,"callback":154,"hasNonce":155,"hasCapCheck":46,"file":128,"line":156},"WPSCL_save_custom_label","WPSCL_save_custom_label_callback",true,8,{"action":158,"nopriv":46,"callback":159,"hasNonce":155,"hasCapCheck":46,"file":128,"line":160},"WPSCL_save_custom_order","WPSCL_save_custom_order_callback",34,{"action":162,"nopriv":46,"callback":163,"hasNonce":46,"hasCapCheck":46,"file":128,"line":164},"WPSCL_Grid_Ajax_Action","WPSCL_Grid_Ajax_Action_callback",62,{"action":166,"nopriv":46,"callback":167,"hasNonce":155,"hasCapCheck":46,"file":128,"line":168},"WidgetForm","WPSCL_WidgetForm",123,{"action":166,"nopriv":155,"callback":167,"hasNonce":155,"hasCapCheck":46,"file":128,"line":170},124,{"action":172,"nopriv":46,"callback":172,"hasNonce":155,"hasCapCheck":46,"file":128,"line":173},"WPSCL_saveConfig",299,{"action":175,"nopriv":46,"callback":175,"hasNonce":155,"hasCapCheck":46,"file":128,"line":176},"WPSCL_LeadFieldSync",345,{"action":178,"nopriv":46,"callback":178,"hasNonce":155,"hasCapCheck":46,"file":128,"line":179},"WPSCL_GeneralMessagesSave",375,{"action":181,"nopriv":46,"callback":181,"hasNonce":155,"hasCapCheck":46,"file":128,"line":182},"WPSCL_save_custom_css",397,{"action":184,"nopriv":46,"callback":184,"hasNonce":155,"hasCapCheck":46,"file":128,"line":185},"WPSCL_GeneralSettingSave",417,{"action":187,"nopriv":46,"callback":187,"hasNonce":46,"hasCapCheck":46,"file":128,"line":188},"WPSCL_Custom_Field_Save",450,{"action":190,"nopriv":46,"callback":190,"hasNonce":155,"hasCapCheck":46,"file":128,"line":191},"WPSCL_Custom_Field_Delete",495,{"action":193,"nopriv":46,"callback":193,"hasNonce":46,"hasCapCheck":46,"file":128,"line":194},"WPSCL_TestSugarConn",746,[],[197],{"tag":198,"callback":198,"file":122,"line":199},"WPSCL_CRM_Lead_Form",182,[],14,{"dangerousFunctions":203,"sqlUsage":212,"outputEscaping":215,"fileOperations":26,"externalRequests":26,"nonceChecks":226,"capabilityChecks":11,"bundledLibraries":227},[204,209,210],{"fn":205,"file":206,"line":207,"context":208},"unserialize","wpscl-Common-functions.php",17,"$sObj = unserialize($values);",{"fn":205,"file":206,"line":150,"context":208},{"fn":205,"file":206,"line":211,"context":208},36,{"prepared":213,"raw":11,"locations":214},50,[],{"escaped":216,"rawEcho":49,"locations":217},426,[218,221,223],{"file":122,"line":219,"context":220},28,"raw output",{"file":122,"line":222,"context":220},82,{"file":224,"line":225,"context":220},"wpscl.crm.cls.php",296,9,[],[229,247,287,312,322,379,490,511,525,533,542,553],{"entryPoint":230,"graph":231,"unsanitizedCount":11,"severity":246},"search_box (wpscl-Fields_map_table.php:135)",{"nodes":232,"edges":244},[233,239],{"id":234,"type":235,"label":236,"file":237,"line":238},"n0","source","$_POST['LeadSearch']","wpscl-Fields_map_table.php",140,{"id":240,"type":241,"label":242,"file":237,"line":238,"wp_function":243},"n1","sink","echo() [XSS]","echo",[245],{"from":234,"to":240,"sanitized":155},"low",{"entryPoint":248,"graph":249,"unsanitizedCount":11,"severity":246},"WPSCL_saveConfig (wpscl-admin-functions.php:300)",{"nodes":250,"edges":281},[251,254,257,261,263,267,269,273,275,279],{"id":234,"type":235,"label":252,"file":128,"line":253},"$_POST['SugarURL']",319,{"id":240,"type":241,"label":255,"file":128,"line":253,"wp_function":256},"update_option() [Settings Manipulation]","update_option",{"id":258,"type":235,"label":259,"file":128,"line":260},"n2","$_POST['SugarUser']",320,{"id":262,"type":241,"label":255,"file":128,"line":260,"wp_function":256},"n3",{"id":264,"type":235,"label":265,"file":128,"line":266},"n4","$_POST['SugarPass']",321,{"id":268,"type":241,"label":255,"file":128,"line":266,"wp_function":256},"n5",{"id":270,"type":235,"label":271,"file":128,"line":272},"n6","$_POST['HtaccessUser']",325,{"id":274,"type":241,"label":255,"file":128,"line":272,"wp_function":256},"n7",{"id":276,"type":235,"label":277,"file":128,"line":278},"n8","$_POST['HtaccessPass']",326,{"id":280,"type":241,"label":255,"file":128,"line":278,"wp_function":256},"n9",[282,283,284,285,286],{"from":234,"to":240,"sanitized":155},{"from":258,"to":262,"sanitized":155},{"from":264,"to":268,"sanitized":155},{"from":270,"to":274,"sanitized":155},{"from":276,"to":280,"sanitized":155},{"entryPoint":288,"graph":289,"unsanitizedCount":11,"severity":246},"WPSCL_GeneralMessagesSave (wpscl-admin-functions.php:376)",{"nodes":290,"edges":307},[291,294,295,298,299,302,303,306],{"id":234,"type":235,"label":292,"file":128,"line":293},"$_POST['SuccessMessage']",382,{"id":240,"type":241,"label":255,"file":128,"line":293,"wp_function":256},{"id":258,"type":235,"label":296,"file":128,"line":297},"$_POST['FailureMessage']",383,{"id":262,"type":241,"label":255,"file":128,"line":297,"wp_function":256},{"id":264,"type":235,"label":300,"file":128,"line":301},"$_POST['ReqFieldsMessage']",384,{"id":268,"type":241,"label":255,"file":128,"line":301,"wp_function":256},{"id":270,"type":235,"label":304,"file":128,"line":305},"$_POST['InvalidCaptchaMessage']",385,{"id":274,"type":241,"label":255,"file":128,"line":305,"wp_function":256},[308,309,310,311],{"from":234,"to":240,"sanitized":155},{"from":258,"to":262,"sanitized":155},{"from":264,"to":268,"sanitized":155},{"from":270,"to":274,"sanitized":155},{"entryPoint":313,"graph":314,"unsanitizedCount":11,"severity":246},"WPSCL_save_custom_css (wpscl-admin-functions.php:398)",{"nodes":315,"edges":320},[316,319],{"id":234,"type":235,"label":317,"file":128,"line":318},"$_POST['css']",404,{"id":240,"type":241,"label":255,"file":128,"line":318,"wp_function":256},[321],{"from":234,"to":240,"sanitized":155},{"entryPoint":323,"graph":324,"unsanitizedCount":11,"severity":246},"WPSCL_GeneralSettingSave (wpscl-admin-functions.php:418)",{"nodes":325,"edges":369},[326,329,330,333,334,336,337,340,341,344,345,349,351,355,357,361,363,367],{"id":234,"type":235,"label":327,"file":128,"line":328},"$_POST['IPaddrStatus']",424,{"id":240,"type":241,"label":255,"file":128,"line":328,"wp_function":256},{"id":258,"type":235,"label":331,"file":128,"line":332},"$_POST['EmailNotification']",425,{"id":262,"type":241,"label":255,"file":128,"line":332,"wp_function":256},{"id":264,"type":235,"label":335,"file":128,"line":216},"$_POST['EmailReceiver']",{"id":268,"type":241,"label":255,"file":128,"line":216,"wp_function":256},{"id":270,"type":235,"label":338,"file":128,"line":339},"$_POST['catpchaStatus']",427,{"id":274,"type":241,"label":255,"file":128,"line":339,"wp_function":256},{"id":276,"type":235,"label":342,"file":128,"line":343},"$_POST['selectcaptcha']",428,{"id":280,"type":241,"label":255,"file":128,"line":343,"wp_function":256},{"id":346,"type":235,"label":347,"file":128,"line":348},"n10","$_POST['redirectStatus']",430,{"id":350,"type":241,"label":255,"file":128,"line":348,"wp_function":256},"n11",{"id":352,"type":235,"label":353,"file":128,"line":354},"n12","$_POST['redirectTo']",431,{"id":356,"type":241,"label":255,"file":128,"line":354,"wp_function":256},"n13",{"id":358,"type":235,"label":359,"file":128,"line":360},"n14","$_POST['wpscl_recaptcha_site_key']",434,{"id":362,"type":241,"label":255,"file":128,"line":360,"wp_function":256},"n15",{"id":364,"type":235,"label":365,"file":128,"line":366},"n16","$_POST['wpscl_recaptcha_secret_key']",435,{"id":368,"type":241,"label":255,"file":128,"line":366,"wp_function":256},"n17",[370,371,372,373,374,375,376,377,378],{"from":234,"to":240,"sanitized":155},{"from":258,"to":262,"sanitized":155},{"from":264,"to":268,"sanitized":155},{"from":270,"to":274,"sanitized":155},{"from":276,"to":280,"sanitized":155},{"from":346,"to":350,"sanitized":155},{"from":352,"to":356,"sanitized":155},{"from":358,"to":362,"sanitized":155},{"from":364,"to":368,"sanitized":155},{"entryPoint":380,"graph":381,"unsanitizedCount":11,"severity":246},"\u003Cwpscl-admin-functions> (wpscl-admin-functions.php:0)",{"nodes":382,"edges":467},[383,386,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,408,410,412,414,416,418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,453,458,462],{"id":234,"type":235,"label":384,"file":128,"line":385},"$_POST (x3)",73,{"id":240,"type":241,"label":387,"file":128,"line":388,"wp_function":389},"get_row() [SQLi]",74,"get_row",{"id":258,"type":235,"label":252,"file":128,"line":253},{"id":262,"type":241,"label":255,"file":128,"line":253,"wp_function":256},{"id":264,"type":235,"label":259,"file":128,"line":260},{"id":268,"type":241,"label":255,"file":128,"line":260,"wp_function":256},{"id":270,"type":235,"label":265,"file":128,"line":266},{"id":274,"type":241,"label":255,"file":128,"line":266,"wp_function":256},{"id":276,"type":235,"label":271,"file":128,"line":272},{"id":280,"type":241,"label":255,"file":128,"line":272,"wp_function":256},{"id":346,"type":235,"label":277,"file":128,"line":278},{"id":350,"type":241,"label":255,"file":128,"line":278,"wp_function":256},{"id":352,"type":235,"label":292,"file":128,"line":293},{"id":356,"type":241,"label":255,"file":128,"line":293,"wp_function":256},{"id":358,"type":235,"label":296,"file":128,"line":297},{"id":362,"type":241,"label":255,"file":128,"line":297,"wp_function":256},{"id":364,"type":235,"label":300,"file":128,"line":301},{"id":368,"type":241,"label":255,"file":128,"line":301,"wp_function":256},{"id":407,"type":235,"label":304,"file":128,"line":305},"n18",{"id":409,"type":241,"label":255,"file":128,"line":305,"wp_function":256},"n19",{"id":411,"type":235,"label":317,"file":128,"line":318},"n20",{"id":413,"type":241,"label":255,"file":128,"line":318,"wp_function":256},"n21",{"id":415,"type":235,"label":327,"file":128,"line":328},"n22",{"id":417,"type":241,"label":255,"file":128,"line":328,"wp_function":256},"n23",{"id":419,"type":235,"label":331,"file":128,"line":332},"n24",{"id":421,"type":241,"label":255,"file":128,"line":332,"wp_function":256},"n25",{"id":423,"type":235,"label":335,"file":128,"line":216},"n26",{"id":425,"type":241,"label":255,"file":128,"line":216,"wp_function":256},"n27",{"id":427,"type":235,"label":338,"file":128,"line":339},"n28",{"id":429,"type":241,"label":255,"file":128,"line":339,"wp_function":256},"n29",{"id":431,"type":235,"label":342,"file":128,"line":343},"n30",{"id":433,"type":241,"label":255,"file":128,"line":343,"wp_function":256},"n31",{"id":435,"type":235,"label":347,"file":128,"line":348},"n32",{"id":437,"type":241,"label":255,"file":128,"line":348,"wp_function":256},"n33",{"id":439,"type":235,"label":353,"file":128,"line":354},"n34",{"id":441,"type":241,"label":255,"file":128,"line":354,"wp_function":256},"n35",{"id":443,"type":235,"label":359,"file":128,"line":360},"n36",{"id":445,"type":241,"label":255,"file":128,"line":360,"wp_function":256},"n37",{"id":447,"type":235,"label":365,"file":128,"line":366},"n38",{"id":449,"type":241,"label":255,"file":128,"line":366,"wp_function":256},"n39",{"id":451,"type":235,"label":384,"file":128,"line":452},"n40",454,{"id":454,"type":241,"label":455,"file":128,"line":456,"wp_function":457},"n41","get_results() [SQLi]",459,"get_results",{"id":459,"type":235,"label":460,"file":128,"line":461},"n42","$_POST (x2)",87,{"id":463,"type":241,"label":464,"file":128,"line":465,"wp_function":466},"n43","query() [SQLi]",685,"query",[468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489],{"from":234,"to":240,"sanitized":155},{"from":258,"to":262,"sanitized":155},{"from":264,"to":268,"sanitized":155},{"from":270,"to":274,"sanitized":155},{"from":276,"to":280,"sanitized":155},{"from":346,"to":350,"sanitized":155},{"from":352,"to":356,"sanitized":155},{"from":358,"to":362,"sanitized":155},{"from":364,"to":368,"sanitized":155},{"from":407,"to":409,"sanitized":155},{"from":411,"to":413,"sanitized":155},{"from":415,"to":417,"sanitized":155},{"from":419,"to":421,"sanitized":155},{"from":423,"to":425,"sanitized":155},{"from":427,"to":429,"sanitized":155},{"from":431,"to":433,"sanitized":155},{"from":435,"to":437,"sanitized":155},{"from":439,"to":441,"sanitized":155},{"from":443,"to":445,"sanitized":155},{"from":447,"to":449,"sanitized":155},{"from":451,"to":454,"sanitized":155},{"from":459,"to":463,"sanitized":155},{"entryPoint":491,"graph":492,"unsanitizedCount":509,"severity":510},"process_bulk_action (wpscl-Fields_map_table.php:162)",{"nodes":493,"edges":506},[494,497,499,502],{"id":234,"type":235,"label":495,"file":237,"line":496},"$_POST (x6)",183,{"id":240,"type":241,"label":464,"file":237,"line":498,"wp_function":466},192,{"id":258,"type":235,"label":500,"file":237,"line":501},"$_GET",242,{"id":262,"type":241,"label":503,"file":237,"line":504,"wp_function":505},"wp_redirect() [Open Redirect]",249,"wp_redirect",[507,508],{"from":234,"to":240,"sanitized":46},{"from":258,"to":262,"sanitized":46},7,"high",{"entryPoint":512,"graph":513,"unsanitizedCount":509,"severity":510},"\u003Cwpscl-Fields_map_table> (wpscl-Fields_map_table.php:0)",{"nodes":514,"edges":521},[515,516,517,518,519,520],{"id":234,"type":235,"label":236,"file":237,"line":238},{"id":240,"type":241,"label":242,"file":237,"line":238,"wp_function":243},{"id":258,"type":235,"label":495,"file":237,"line":496},{"id":262,"type":241,"label":464,"file":237,"line":498,"wp_function":466},{"id":264,"type":235,"label":500,"file":237,"line":501},{"id":268,"type":241,"label":503,"file":237,"line":504,"wp_function":505},[522,523,524],{"from":234,"to":240,"sanitized":155},{"from":258,"to":262,"sanitized":46},{"from":264,"to":268,"sanitized":46},{"entryPoint":526,"graph":527,"unsanitizedCount":49,"severity":510},"WPSCL_Grid_Ajax_Action_callback (wpscl-admin-functions.php:63)",{"nodes":528,"edges":531},[529,530],{"id":234,"type":235,"label":384,"file":128,"line":385},{"id":240,"type":241,"label":387,"file":128,"line":388,"wp_function":389},[532],{"from":234,"to":240,"sanitized":46},{"entryPoint":534,"graph":535,"unsanitizedCount":26,"severity":510},"WPSCL_Custom_Field_Save (wpscl-admin-functions.php:451)",{"nodes":536,"edges":540},[537,539],{"id":234,"type":235,"label":538,"file":128,"line":452},"$_POST",{"id":240,"type":241,"label":455,"file":128,"line":456,"wp_function":457},[541],{"from":234,"to":240,"sanitized":46},{"entryPoint":543,"graph":544,"unsanitizedCount":552,"severity":510},"InsertLeadToSugar (wpscl.crm.cls.php:202)",{"nodes":545,"edges":550},[546,548],{"id":234,"type":235,"label":460,"file":224,"line":547},218,{"id":240,"type":241,"label":455,"file":224,"line":549,"wp_function":457},221,[551],{"from":234,"to":240,"sanitized":46},2,{"entryPoint":554,"graph":555,"unsanitizedCount":552,"severity":510},"\u003Cwpscl.crm.cls> (wpscl.crm.cls.php:0)",{"nodes":556,"edges":559},[557,558],{"id":234,"type":235,"label":460,"file":224,"line":547},{"id":240,"type":241,"label":455,"file":224,"line":549,"wp_function":457},[560],{"from":234,"to":240,"sanitized":46},{"summary":562,"deductions":563},"The web-to-sugarcrm-lead plugin v1.0.1 exhibits a mixed security posture.  On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and escaping the vast majority of its output, which significantly mitigates common injection vulnerabilities. The absence of bundled libraries and a single external HTTP request are also favorable indicators. However, concerns arise from the presence of the `unserialize` dangerous function, which can lead to remote code execution if improperly handled. Furthermore, the taint analysis reveals six high-severity flows with unsanitized paths, indicating potential for vulnerabilities such as path traversal or insecure file handling. The plugin's attack surface includes 13 AJAX handlers, with three lacking authentication checks, creating an open door for unauthorized actions. While the vulnerability history shows only one past medium-severity CVE related to CSRF, and no currently unpatched vulnerabilities, the presence of past issues and the identified code signals suggest a need for caution. The plugin has strengths in its SQL and output handling but weaknesses in authentication on AJAX endpoints and the risky use of `unserialize` along with critical taint flows.",[564,566,569,571,574],{"reason":565,"points":63},"3 AJAX handlers without auth checks",{"reason":567,"points":568},"6 high severity flows with unsanitized paths",12,{"reason":570,"points":156},"1 dangerous function: unserialize",{"reason":572,"points":573},"0 capability checks",5,{"reason":575,"points":509},"1 known CVE (medium severity)","2026-04-16T14:05:08.774Z",{"wat":578,"direct":587},{"assetPaths":579,"generatorPatterns":583,"scriptPaths":584,"versionParams":586},[580,581,582],"\u002Fwp-content\u002Fplugins\u002Fweb-to-sugarcrm-lead\u002Fjs\u002Fwpscl-admin.min.js","\u002Fwp-content\u002Fplugins\u002Fweb-to-sugarcrm-lead\u002Fwpscl-captcha.php","\u002Fwp-content\u002Fplugins\u002Fweb-to-sugarcrm-lead\u002Fimage\u002Freload_captcha.png",[],[585],"https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi.js",[],{"cssClasses":588,"htmlComments":597,"htmlAttributes":598,"restEndpoints":600,"jsGlobals":601,"shortcodeOutput":604},[589,590,591,592,593,594,595,596],"LeadFormMsg","nonHidden","LeadFormRequired","required_cls","WPSCL_captcha","WPSCL_captcha_img","WPSCL_repload_captcha","g-recaptcha",[],[599],"data-sitekey",[],[602,603],"obj_captcha","WPSCL_getHTMLElement",[605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622],"\u003Cdiv class='LeadFormMsg'>Web To SugarCRM Lead Form\u003C\u002Fdiv>","\u003Cform id='WPSCL_Widget_Form' method='POST' enctype='multipart\u002Fform-data'>","\u003Cinput type='hidden' value='","' name='_nonce' \u002F>","\u003Cinput type='hidden' name='action' id='action' value='WidgetForm'>","\u003Cp>\u003Clabel>\u003Cstrong>","\u003C\u002Fstrong>\u003C\u002Flabel>\u003Cbr>","\u003C\u002Fp>","\u003Cinput type='hidden' class='LeadFormEach' name='","' value='","' \u002F>","\u003Cp>\u003Cimg src='","' title='captcha' class='WPSCL_captcha_img'\u002F>","\u003Cimg src='","' title='Reload Captcha' class='WPSCL_repload_captcha'\u002F>\u003C\u002Fp>","\u003Cp>\u003Clabel>\u003Cstrong>Enter Verification Code :\u003C\u002Fstrong>\u003C\u002Flabel>\u003Cinput type='text' name='captcha' id='WPSCL_CAPTCHA' maxlength='5' class='LeadFormRequired'\u002F>\u003C\u002Fp>","\u003Cp>\u003Cinput type='submit' name='submit' value='Submit' id='WidgetFormSubmit'>\u003C\u002Fp>","\u003C\u002Fform>",{"error":155,"url":624,"statusCode":318,"statusMessage":625,"message":625},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fweb-to-sugarcrm-lead\u002Fbundle","no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":552,"versions":627},[628,633],{"version":6,"download_url":24,"svn_tag_url":629,"released_at":36,"has_diff":46,"diff_files_changed":630,"diff_lines":36,"trac_diff_url":631,"vulnerabilities":632,"is_current":155},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fweb-to-sugarcrm-lead\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fweb-to-sugarcrm-lead%2Ftags%2F1.0.0&new_path=%2Fweb-to-sugarcrm-lead%2Ftags%2F1.0.1",[],{"version":634,"download_url":635,"svn_tag_url":636,"released_at":36,"has_diff":46,"diff_files_changed":637,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":638,"is_current":46},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fweb-to-sugarcrm-lead.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fweb-to-sugarcrm-lead\u002Ftags\u002F1.0.0\u002F",[],[639],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":6}]