WP-Safety

Zoho Campaigns Security & Risk Analysis

wordpress.org/plugins/zoho-campaigns

Zoho Campaigns

4K active installs v2.1.6 PHP + WP 5.0+ Updated Feb 19, 2026
abandoned-cartemail-marketingmarketing-automationsignup-formswoocommerce
95
A · Safe
CVEs total4
Unpatched0
Last CVEJul 11, 2024
Plugin page Download
Safety Verdict

Is Zoho Campaigns Safe to Use in 2026?

Generally Safe

Score 95/100

Zoho Campaigns has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 11, 2024Updated 1mo ago
Risk Assessment

The Zoho Campaigns plugin v2.1.7 exhibits a mixed security posture. On the positive side, static analysis reveals strong adherence to security best practices, with a very high percentage of SQL queries using prepared statements and outputs properly escaped. Nonce and capability checks are prevalent across its entry points. The complete absence of unpatched CVEs and critical taint flows is also a significant strength.

However, the presence of the `unserialize` function as a dangerous function, even if not flagged by taint analysis in this specific version, represents a potential risk. The vulnerability history, including one past critical CVE and several medium vulnerabilities of types like XSS, CSRF, and SQL Injection, suggests a pattern of past security weaknesses. While all historical CVEs are currently unpatched, the recent discovery of a critical vulnerability as recently as 2024-07-11 warrants careful attention.

In conclusion, while v2.1.7 demonstrates improvements in core security practices like prepared statements and output escaping, the historical vulnerability profile and the presence of a dangerous function like `unserialize` necessitate ongoing vigilance. Users should ensure they are on the latest patched version and monitor for future security advisories.

Key Concerns

  • Dangerous function 'unserialize' found
  • Past critical CVE (currently unpatched)
  • Past medium CVEs (multiple types)
  • Recent critical vulnerability discovered (2024-07-11)
Vulnerabilities
4

Zoho Campaigns Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
3

4 total CVEs

CVE-2024-38752medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Zoho Campaigns <= 2.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jul 11, 2024 Patched in 2.1.0 (16d)
CVE-2024-32442medium · 4.3Cross-Site Request Forgery (CSRF)

Zoho Campaigns <= 2.0.7 - Cross-Site Request Forgery via zcwc_integration_disconnect

Apr 12, 2024 Patched in 2.0.8 (6d)
CVE-2024-32441medium · 4.3Cross-Site Request Forgery (CSRF)

Zoho Campaigns <= 2.0.7 - Cross-Site Request Forgery via zcwc_optin_save

Apr 12, 2024 Patched in 2.0.8 (6d)
CVE-2024-30239critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Zoho Campaigns <= 2.0.6 - Authenticated (Contributor+) SQL Injection

Mar 26, 2024 Patched in 2.0.7 (23d)
Code Analysis
Analyzed Mar 16, 2026

Zoho Campaigns Code Analysis

Dangerous Functions
4
Raw SQL Queries
1
18 prepared
Unescaped Output
2
190 escaped
Nonce Checks
12
Capability Checks
23
File Operations
1
External Requests
11
Bundled Libraries
0

Dangerous Functions Found

unserialize$mh_Object = unserialize(get_option($key));includes\admin\class.zcwc-admin.php:801
unserialize$mh_Object = unserialize(get_option('zcwc_intergration_details'));includes\class.zcwc.php:149
unserialize$mh_Object = unserialize(get_option($key));includes\class.zcwc.php:183
unserialize$mh_Object = unserialize(get_option($key));uninstall.php:17

SQL Query Safety

95% prepared19 total queries

Output Escaping

99% escaped192 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
zcwc_order_placed (includes\class.zcwc.php:269)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Zoho Campaigns Attack Surface

Entry Points14
Unprotected0

AJAX Handlers 13

authwp_ajax_zcwc_connectincludes\admin\class.zcwc-admin.php:38
authwp_ajax_zcwc_disconnectincludes\admin\class.zcwc-admin.php:39
authwp_ajax_zcwc_fetch_formincludes\admin\class.zcwc-admin.php:40
authwp_ajax_zcwc_change_form_statusincludes\admin\class.zcwc-admin.php:41
authwp_ajax_zcwc_refresh_forms_listincludes\admin\class.zcwc-admin.php:42
authwp_ajax_zcwc_get_short_codeincludes\admin\class.zcwc-admin.php:43
authwp_ajax_zoho_campaign_ratedincludes\admin\class.zcwc-admin.php:44
authwp_ajax_zcwc_woocommerce_authorizeincludes\admin\class.zcwc-admin.php:45
authwp_ajax_zcwc_add_listincludes\admin\class.zcwc-admin.php:46
authwp_ajax_zcwc_integration_statusincludes\admin\class.zcwc-admin.php:47
authwp_ajax_zcwc_get_listincludes\admin\class.zcwc-admin.php:48
authwp_ajax_zcwc_integration_disconnectincludes\admin\class.zcwc-admin.php:49
authwp_ajax_zcwc_optin_saveincludes\admin\class.zcwc-admin.php:50

Shortcodes 1

[zcwp] includes\class.zcwc.php:26
WordPress Hooks 19
actionadmin_menuincludes\admin\class.zcwc-admin.php:31
actionadmin_enqueue_scriptsincludes\admin\class.zcwc-admin.php:32
actioncurrent_screenincludes\admin\class.zcwc-admin.php:35
filteradmin_footer_textincludes\admin\class.zcwc-admin.php:54
actionwp_enqueue_scriptsincludes\class.zcwc.php:27
actionzcwc_track_order_event_hookincludes\class.zcwc.php:29
actionwoocommerce_register_formincludes\class.zcwc.php:35
actionwoocommerce_created_customerincludes\class.zcwc.php:36
actionwoocommerce_checkout_order_processedincludes\class.zcwc.php:37
actionwoocommerce_after_cart_totalsincludes\class.zcwc.php:41
actionwoocommerce_before_checkout_billing_formincludes\class.zcwc.php:42
actionwoocommerce_cart_item_removedincludes\class.zcwc.php:43
actionwoocommerce_checkout_order_processedincludes\class.zcwc.php:44
actioninitindex.php:45
actionuser_registerindex.php:46
actionprofile_updateindex.php:47
actioninitindex.php:54
actionbefore_woocommerce_initindex.php:56
filterwoocommerce_webhook_http_argsindex.php:71

Scheduled Events 2

zcwc_track_order_event_hook
zcwc_track_order_event_hook
Maintenance & Trust

Zoho Campaigns Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 19, 2026
PHP min version
Downloads96K

Community Trust

Rating40/100
Number of ratings20
Active installs4K
Alternatives

Zoho Campaigns Alternatives

MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics

MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics

makewebbetter-hubspot-for-woocommerce

A
98

Integrate WooCommerce with HubSpot’s free CRM, abandoned cart tracking, email marketing, marketing automation, analytics & more.

7K 1 CVE
Constant Contact + WooCommerce

Constant Contact + WooCommerce

constant-contact-woocommerce

A
99

Add products to your list emails and sync your contacts.

1K 1 CVE
Benchmark Email for WooCommerce

Benchmark Email for WooCommerce

woo-benchmark-email

A
100

Connects WooCommerce with Benchmark Email - syncing customers and abandoned carts.

200 No CVEs
Auto Mail – Abandoned Cart Recovery, Newsletter Builder & Marketing Automation for WooCommerce

Auto Mail – Abandoned Cart Recovery, Newsletter Builder & Marketing Automation for WooCommerce

auto-mail

A
100

Auto Mail is an WordPress email plugin that make you can manage your customer relationships, build your email lists, send email campaigns, build funne &hellip;

10 No CVEs
MandrakeCRM – CRM & AI Marketing Automation

MandrakeCRM – CRM & AI Marketing Automation

mandrakecrm

A
100

CRM, automations, campaigns & analytics for WooCommerce. Charges per order, not per contact. Unlimited contacts. Free 7-day trial.

0 No CVEs
Developer Profile

Zoho Campaigns Developer Profile

Zoho Campaigns

2 plugins · 5K total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
17 days
View full developer profile
Detection Fingerprints

How We Detect Zoho Campaigns

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/zoho-campaigns/css/zcwc-styles.css/wp-content/plugins/zoho-campaigns/css/zcwc-admin-styles.css/wp-content/plugins/zoho-campaigns/js/zcwc-admin.js/wp-content/plugins/zoho-campaigns/js/zcwc-public.js/wp-content/plugins/zoho-campaigns/js/zcwc-utility.js
Script Paths
/wp-content/plugins/zoho-campaigns/js/zcwc-admin.js/wp-content/plugins/zoho-campaigns/js/zcwc-public.js/wp-content/plugins/zoho-campaigns/js/zcwc-utility.js
Version Parameters
zoho-campaigns/css/zcwc-styles.css?ver=zoho-campaigns/css/zcwc-admin-styles.css?ver=zoho-campaigns/js/zcwc-admin.js?ver=zoho-campaigns/js/zcwc-public.js?ver=zoho-campaigns/js/zcwc-utility.js?ver=

HTML / DOM Fingerprints

CSS Classes
zcwc-admin-menuzcwc-connect-buttonzcwc-form-listzcwc-integration-settings
HTML Comments
<!-- Zoho Campaigns Plugin --><!-- Zoho Campaigns Admin Area -->
Data Attributes
data-zcwc-form-iddata-zcwc-actiondata-zcwc-nonce
JS Globals
zcwc_admin_ajax_objectzcwc_public_ajax_objectZC4WP_VERSION
REST Endpoints
/wp-json/zcwc/v1/connect/wp-json/zcwc/v1/disconnect/wp-json/zcwc/v1/forms/wp-json/zcwc/v1/settings
Shortcode Output
[zoho_campaigns_form][zcwc_embedded_form id=]
FAQ

Frequently Asked Questions about Zoho Campaigns