W3SCloud Contact Form 7 to Zoho CRM CVE-2025-60169
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in W3S Cloud Technology W3SCloud Contact Form 7 to Zoho CRM allows Stored XSS. This issue affects W3SCloud Contact Form 7 to Zoho CRM: from n/a through 3.0.
AnalysisAI
Stored cross-site scripting can be injected into W3SCloud Contact Form 7 to Zoho CRM plugin for WordPress (versions through 3.0) via CSRF attack, allowing unauthenticated remote attackers to execute malicious JavaScript in administrator sessions when admins are tricked into visiting attacker-controlled pages. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling privilege escalation from no access to stored administrative malicious code. EPSS score of 0.01% (3rd percentile) indicates minimal observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability affects a WordPress plugin that integrates Contact Form 7 with Zoho CRM. The root cause is missing CSRF token validation (CWE-352) on administrative endpoints that process or store data. Because CSRF protections are absent, an attacker can craft malicious forms that, when submitted by an authenticated administrator, inject XSS payloads into the plugin's stored configuration or data fields. These stored payloads then execute in the context of the WordPress admin panel whenever the data is rendered. The attack vector is network-based (AV:N) with low complexity (AC:L), requiring no authentication (PR:N) but user interaction (UI:R). The scope change (S:C) indicates the XSS can affect resources beyond the vulnerable plugin's security context, potentially compromising the entire WordPress installation.
Affected ProductsAI
W3SCloud Contact Form 7 to Zoho CRM plugin for WordPress, all versions from initial release through version 3.0. The vulnerability was reported by audit@patchstack.com and documented in Patchstack's WordPress vulnerability database. According to the CVE description, the affected version range starts from an unspecified initial version (n/a) through version 3.0 inclusive. Vendor advisory and detailed technical analysis available at Patchstack database reference URL.
RemediationAI
Upgrade W3SCloud Contact Form 7 to Zoho CRM plugin to version 3.1 or later if available (check WordPress plugin repository or vendor website for latest release). Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/w3s-cf7-zoho/ for confirmed patched version and vendor response status. If no patched version exists, implement compensating controls: disable the plugin until patch is available (breaks Contact Form 7 to Zoho CRM integration workflow), restrict WordPress admin access to trusted IP addresses only (reduces CSRF attack surface but hinders remote administration), deploy web application firewall rules to detect CSRF attempts without valid nonces (may generate false positives on legitimate admin actions), and implement Content Security Policy headers to mitigate stored XSS execution (requires careful tuning to avoid breaking WordPress admin functionality). Monitor WordPress admin activity logs for unexpected configuration changes to the plugin settings.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today