CVE-2023-37982 in Integration for Contact Form 7 and Salesforce Plugininfo

Summary

by MITRE • 12/19/2023

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.3.3.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/04/2026

This open redirect vulnerability represents a critical security weakness that allows attackers to manipulate web applications into redirecting users to malicious external domains. The flaw specifically impacts the CRM Perks Integration for Salesforce and several popular WordPress form plugins including Contact Form 7, WPForms, Elementor, and Ninja Forms. The vulnerability exists within version ranges from n/a through 1.3.3, indicating that all versions within this spectrum are potentially susceptible to exploitation. This type of vulnerability falls under CWE-601 which categorizes open redirect flaws as security weaknesses that can be exploited in web applications.

The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the redirect functionality of these WordPress plugins. When users interact with forms or CRM integration features, the application processes redirect parameters without proper verification of destination URLs. Attackers can craft malicious URLs containing crafted redirect parameters that bypass security checks, potentially leading to phishing attacks or malware distribution. The vulnerability operates by accepting user-supplied input that determines the redirection target, failing to validate whether the specified URL belongs to a trusted domain.

Operational impact of this vulnerability extends beyond simple user inconvenience to serious security risks for organizations relying on these plugins. Attackers can exploit the open redirect to create convincing phishing pages that appear legitimate within the context of trusted domains, potentially harvesting sensitive credentials or personal information from unsuspecting users. The attack vector is particularly dangerous in enterprise environments where CRM data and contact forms contain sensitive business information. This weakness enables social engineering attacks that can bypass traditional security controls, as the malicious redirection appears to originate from a legitimate source.

Mitigation strategies should focus on implementing strict input validation and domain whitelisting for all redirect operations within affected plugins. Organizations should immediately update to patched versions of the vulnerable plugins where available, or implement web application firewalls that can detect and block suspicious redirect patterns. Security teams should also conduct comprehensive audits of all WordPress installations to identify potentially vulnerable plugins and implement proper URL validation mechanisms. This vulnerability aligns with attack techniques described in the ATT&CK framework under T1566 which covers phishing and social engineering tactics, specifically targeting user trust through manipulated web navigation paths. Regular security assessments and dependency monitoring are crucial for preventing exploitation of similar redirect vulnerabilities in other components of the web application ecosystem.

Reservation

07/11/2023

Disclosure

12/19/2023

Moderation

accepted

CPE

ready

EPSS

0.00414

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!