WordPress Plugin Vulnerabilities

Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.3 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect its settings_page action against CSRF attacks, allowing an attacker to update the plugin settings on their behalf by tricking a logged in admin to submit a crafted request.

Affects Plugins

Plugin icon
cf7-zoho
Fixed in 1.2.3

References

CVE
CVE-2023-25976
URL
https://patchstack.com/database/vulnerability/cf7-zoho/wordpress-integration-for-contact-form-7-and-zoho-crm-bigin-plugin-1-2-2-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
00c864b4-1114-4aa9-8de1-4bb1154a79fa

Timeline

Publicly Published
2023-02-22 (about 3 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2025-10-24
Title
Simple Registration for WooCommerce < 1.5.9 - Cross-Site Request Forgery to Privilege Escalation via Role Request Approval
Published
2025-09-10
Title
Admin in English with Switch <= 1.1 - Cross-Site Request Forgery
Published
2024-04-11
Title
Wow Skype Buttons < 4.0.4 - Button Deletion via CSRF
Published
2024-07-06
Title
Ultimate Auction < 4.2.6 - Cross-Site Request Forgery
Published
2024-06-21
Title
UberMenu < 3.8.4 - Cross-Site Request Forgery to Settings Reset