Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.
Published: 2025-12-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in SQL commands allows a blind SQL injection in the Contact Form 7 HubSpot integration plugin. An attacker can execute arbitrary SQL queries against the database, potentially reading or altering sensitive data. The flaw is a classic input validation problem listed as CWE‑89.

Affected Systems

The vulnerability affects the CRM Perks Integration for Contact Form 7 HubSpot plugin with versions up through 1.4.2. All releases from the initial version up to and including 1.4.2 are impacted, as the plugin does not sanitize parameters used in database queries.

Risk and Exploitability

The CVSS score of 7.6 signifies high severity, but the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not present in the CISA KEV catalog, indicating no known active exploitation yet. Based on the description, the likely attack vector is remote, through normal form submissions or API requests that the plugin handles, allowing an attacker to craft malicious input that the plugin forwards to the database.

Generated by OpenCVE AI on April 29, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Form 7 HubSpot plugin to the latest released version that contains the fix for the SQL injection flaw.
  • If an immediate upgrade is not possible, restrict access to the plugin’s admin area or disable the plugin entirely to block the attack surface until a patch is applied.
  • Conduct a security review of all SQL statements in the plugin’s code to ensure proper input sanitization or use of parameterized queries to prevent similar vulnerabilities.

Generated by OpenCVE AI on April 29, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks integration For Contact Form 7 Hubspot
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks integration For Contact Form 7 Hubspot
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.
Title WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.2 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Crm Perks Integration For Contact Form 7 Hubspot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.930Z

Reserved: 2025-12-19T10:17:41.811Z

Link: CVE-2025-68590

cve-icon Vulnrichment

Updated: 2025-12-24T18:47:20.357Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:26.337

Modified: 2026-04-27T19:16:34.543

Link: CVE-2025-68590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:30:14Z

Weaknesses