Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More Security & Risk Analysis

The "zoho-forms" v4.0.4 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals no direct SQL injection vulnerabilities due to the use of prepared statements and a limited attack surface with no unprotected entry points identified. The absence of dangerous functions, file operations, and external HTTP requests is also commendable. However, the plugin's vulnerability history is a significant concern, with three previously disclosed medium-severity vulnerabilities, primarily related to Cross-Site Scripting (XSS). The fact that the last known vulnerability was very recent (September 30, 2024) and that there are currently no unpatched CVEs suggests that while vulnerabilities have been addressed, the plugin has a history of introducing such issues, requiring diligent patching.

While the current static analysis doesn't reveal active, exploitable vulnerabilities in this specific version, the pattern of past XSS vulnerabilities indicates a potential weakness in output escaping or input sanitization that could be re-introduced in future updates or might still be present in subtle ways not caught by the static analysis tools. The unescaped output rate of 25% (3 out of 12 outputs) is a point of concern, as even a single unescaped output can lead to XSS if user-supplied data is involved. The presence of the bundled TinyMCE library also warrants attention, as outdated versions of bundled libraries can introduce security risks. Despite a clean taint analysis in this version, the historical pattern and minor output escaping issues necessitate caution.