Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-dynamics-crm allows Reflected XSS.This issue affects WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.6.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Dynamics CRM plugin for WordPress contains a reflected cross‑site scripting flaw that permits injection of arbitrary JavaScript into pages rendered for users. When user‑controlled data is not correctly neutralized, a crafted URL or form submission can execute code in the victim’s browser, enabling session hijacking, credential theft, or site defacement. This weakness is classified as CWE‑79.

Affected Systems

Vulnerable versions of the CRM Perks WP Dynamics CRM plugin for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms, specifically any release through version 1.1.6, are affected.

Risk and Exploitability

The CVSS score of 7.1 signals a moderate‑to‑high risk, while the EPSS score of less than 1 % indicates that exploitation is currently unlikely. The plug‑in is not listed in the CISA KEV catalog, so there is no known active exploitation campaign. The likely attack vector is reflected input in the plugin’s query or form parameters, which can be triggered by a user visiting a crafted link sent by an attacker. Because the vulnerability relies on user interaction, a threat actor would need to entice a victim into clicking the malicious URL or submitting a malicious form, after which the injected script would run in the victim’s browser.

Generated by OpenCVE AI on May 1, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Dynamics CRM plugin to the latest version that includes the XSS fix, or to a release newer than 1.1.6.
  • Perform a security scan to verify that the plugin’s input handling is no longer vulnerable to reflected XSS.
  • If an update is not immediately possible, implement a Content Security Policy that restricts inline or external scripts and escape all user‑supplied data in relevant templates to limit XSS impact.

Generated by OpenCVE AI on May 1, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3900 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Reflected XSS. This issue affects WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Reflected XSS. This issue affects WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-dynamics-crm allows Reflected XSS.This issue affects WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Reflected XSS. This issue affects WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.6.
Title WordPress WP Dynamics CRM plugin <= 1.1.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:32.771Z

Reserved: 2025-01-23T14:52:31.176Z

Link: CVE-2025-24708

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:16.230

Modified: 2026-06-17T08:59:28.620

Link: CVE-2025-24708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')