Does Zoho Marketing Automation have any unpatched vulnerabilities?

No. All known vulnerabilities in Zoho Marketing Automation have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Zoho Marketing Automation compatible with WordPress 6.9.4?

According to WordPress.org data, Zoho Marketing Automation 1.3.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Zoho Marketing Automation compatible with PHP 5.2.4+?

Zoho Marketing Automation requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Zoho Marketing Automation updated?

Zoho Marketing Automation was last updated on Jan 19, 2026. Frequent updates are generally a positive security signal.

What is Zoho Marketing Automation's security score?

Zoho Marketing Automation has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Zoho Marketing Automation Security & Risk Analysis

wordpress.org/plugins/zoho-marketinghub

Zoho Marketing Automation is an all-in-one marketing automation software that helps you successfully manage your marketing activities across multiple …

1K active installs v1.3.6 PHP 5.2.4+ WP 5.1.1+ Updated Jan 19, 2026

automationmarketing-hubsign-up-formweb-analyticswebsite-tracking

A · Safe

CVEs total1

Unpatched0

Last CVEJun 21, 2024

Plugin page Download

Safety Verdict

Is Zoho Marketing Automation Safe to Use in 2026?

Generally Safe

Score 97/100

Zoho Marketing Automation has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 21, 2024Updated 2mo ago

Risk Assessment

The Zoho Marketing Hub plugin v1.3.6 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in output escaping, with 98% of outputs being properly handled, and a strong emphasis on capability checks. The absence of file operations and the generally low number of flows with unsanitized paths are also encouraging signs. However, several areas raise concerns. The presence of two AJAX handlers without authentication checks creates a significant attack surface. The use of the `unserialize` function, while only appearing 6 times, is a known risk for potential arbitrary code execution if not handled with extreme care and robust validation. The plugin's vulnerability history is particularly worrying, with a past critical vulnerability related to SQL Injection. While currently no critical vulnerabilities are unpatched, this history suggests a recurring weakness that requires diligent monitoring and prompt patching of any future issues. The combination of the unpatched CVE history and the static analysis findings of unprotected entry points indicates a need for ongoing vigilance.

Key Concerns

AJAX handlers without authentication checks
Use of dangerous function: unserialize
Past critical CVE (SQL Injection)
Flows with unsanitized paths

Vulnerabilities

Zoho Marketing Automation Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2024-37225critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Zoho Marketing Automation <= 1.2.7 - Authenticated (Contributor+) SQL Injection

Jun 21, 2024 Patched in 1.2.8 (36d)

Code Analysis

Analyzed Mar 16, 2026

Zoho Marketing Automation Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

289 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$mh_Object = unserialize(get_option($key));includes\admin\class.zmh-admin.php:725

unserialize$page_scripts = unserialize(get_option('zmhub_script_setting'));includes\class.zmh.php:16

unserialize$mh_Object = unserialize(get_option('zmhub_intergration_details'));includes\class.zmh.php:193

unserialize$mh_Object = unserialize(get_option($key));includes\class.zmh.php:227

unserialize$page_scripts =unserialize(get_option('zmhub_script_setting')); }includes\mh-wa.php:60

unserialize$mh_Object = unserialize(get_option($key));uninstall.php:16

SQL Query Safety

45% prepared11 total queries

Output Escaping

98% escaped295 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths

zmhub_order_placed (includes\class.zmh.php:316)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Zoho Marketing Automation Attack Surface

Entry Points18

Unprotected2

AJAX Handlers 16

authwp_ajax_zmhub_connectincludes\admin\class.zmh-admin.php:41

authwp_ajax_zmhub_disconnectincludes\admin\class.zmh-admin.php:42

authwp_ajax_zmhub_fetch_formincludes\admin\class.zmh-admin.php:43

authwp_ajax_zmhub_fetch_webcodeincludes\admin\class.zmh-admin.php:44

authwp_ajax_zmhub_change_form_statusincludes\admin\class.zmh-admin.php:45

authwp_ajax_zmhub_refresh_forms_listincludes\admin\class.zmh-admin.php:46

authwp_ajax_zmhub_get_short_codeincludes\admin\class.zmh-admin.php:47

authwp_ajax_zoho_marketinghub_ratedincludes\admin\class.zmh-admin.php:48

authwp_ajax_zma_update_noticeincludes\admin\class.zmh-admin.php:49

authwp_ajax_zmhub_woocommerce_authorizeincludes\admin\class.zmh-admin.php:50

authwp_ajax_zmhub_add_listincludes\admin\class.zmh-admin.php:51

authwp_ajax_zmhub_integration_statusincludes\admin\class.zmh-admin.php:52

authwp_ajax_zmhub_get_listincludes\admin\class.zmh-admin.php:53

authwp_ajax_zmhub_integration_disconnectincludes\admin\class.zmh-admin.php:54

authwp_ajax_zmhub_optin_saveincludes\admin\class.zmh-admin.php:55

authwp_ajax_zmhub_tracking_migrateincludes\admin\class.zmh-admin.php:56

Shortcodes 2

[zmhub] zmh.php:41

[zmauto] zmh.php:42

WordPress Hooks 22

actionadmin_menuincludes\admin\class.zmh-admin.php:32

actionadmin_enqueue_scriptsincludes\admin\class.zmh-admin.php:33

actionadmin_post_zmhub_save_settingsincludes\admin\class.zmh-admin.php:36

actionadmin_initincludes\admin\class.zmh-admin.php:37

actioncurrent_screenincludes\admin\class.zmh-admin.php:38

filteradmin_footer_textincludes\admin\class.zmh-admin.php:60

actionzmhub_track_order_event_hookincludes\class.zmh.php:143

actionwoocommerce_register_formincludes\class.zmh.php:149

actionwoocommerce_created_customerincludes\class.zmh.php:150

actionwoocommerce_checkout_order_processedincludes\class.zmh.php:151

actionwoocommerce_after_cart_totalsincludes\class.zmh.php:155

actionwoocommerce_before_checkout_billing_formincludes\class.zmh.php:156

actionwoocommerce_cart_item_removedincludes\class.zmh.php:157

actionwoocommerce_checkout_order_processedincludes\class.zmh.php:158

actionwp_footerzmh.php:43

actioninitzmh.php:44

actionplugins_loadedzmh.php:46

actioninitzmh.php:52

actionadmin_noticeszmh.php:53

actionadmin_noticeszmh.php:55

actionbefore_woocommerce_initzmh.php:70

filterwoocommerce_webhook_http_argszmh.php:86

Scheduled Events 3

zmhub_refresh_forms_event

zmhub_track_order_event_hook

Maintenance & Trust

Zoho Marketing Automation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 19, 2026

PHP min version5.2.4

Downloads27K

Community Trust

Rating0/100

Number of ratings0

Active installs1K

Alternatives

Zoho Marketing Automation Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

OttoKit: All-in-One Automation Platform

suretriggers

Experience the power of automation within WordPress: Connect 1,300+ apps, automate manual tasks, and unlock your full potential. Get started now!

100K 4 CVEs

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs

Blog2Social: Social Media Auto Post & Scheduler

blog2social

Automatically share and schedule your WordPress content on top social platforms like Facebook, Instagram, LinkedIn, TikTok, and more.

50K 21 CVEs

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

uncanny-automator

Uncanny Automator is the easiest and most powerful way to connect your WordPress plugins, sites and apps together with powerful automations.

50K 11 CVEs

Developer Profile

Zoho Marketing Automation Developer Profile

Zoho Campaigns

2 plugins · 5K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

17 days

View full developer profile

Detection Fingerprints

How We Detect Zoho Marketing Automation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/zoho-marketinghub/includes/css/zmh-admin.css/wp-content/plugins/zoho-marketinghub/includes/css/zmh-public.css/wp-content/plugins/zoho-marketinghub/includes/js/zmh-admin.js/wp-content/plugins/zoho-marketinghub/includes/js/zmh-public.js

Script Paths

/wp-content/plugins/zoho-marketinghub/includes/js/zmh-admin.js/wp-content/plugins/zoho-marketinghub/includes/js/zmh-public.js

Version Parameters

zoho-marketinghub/includes/css/zmh-admin.css?ver=zoho-marketinghub/includes/css/zmh-public.css?ver=zoho-marketinghub/includes/js/zmh-admin.js?ver=zoho-marketinghub/includes/js/zmh-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

zmhbtn

Data Attributes

data-zmhub-id

JS Globals

ZohoMarketingHubZohoMarketingHub_Admin

Shortcode Output

[zmhub][zmauto]

FAQ