Cross‑Site Request Forgery (CSRF) exists in the CRM Perks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin. An attacker can craft a request that a logged‑in WordPress user unknowingly submits, causing the plugin to perform actions such as adding or modifying data without the user's consent. The flaw is a classic CSRF vulnerability (CWE‑352) that jeopardizes the integrity and authenticity of the user's data within the plugin, although it does not directly expose privileged system resources.

The vulnerability affects the CRM Perks Integration for Google Sheets and Contact Form 7 plugin and its bundled integrations for Contact Form 7, WPForms, Elementor, and Ninja Forms. All released versions up to and including 1.0.9 are vulnerable, as the plug‑in’s CSRF checks are missing until a patch beyond 1.0.9 is released. The affected product is a WordPress plugin that connects form submissions to Google Sheets.

The CVSS score of 4.3 indicates a moderate impact, but the EPSS score of less than 1 % shows that this flaw is unlikely to be actively exploited. It is not listed in the CISA KEV catalog. Exploitation requires a legitimate user account with sufficient privileges and a crafted request that bypasses the missing CSRF validation. Because the attack vector is web‑based and depends on user interaction, the operational risk remains low to moderate unless the site hosts high‑value form data.