CVE-2026-9734
Received Received - Intake

Cross-Site Request Forgery in W3SC Elementor to Zoho CRM Plugin

Vulnerability report for CVE-2026-9734, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: Wordfence

Description

The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's Zoho CRM integration settings, replacing the configured data center, client ID, client secret, and user email credentials with attacker-controlled values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
w3sc elementor_to_zoho_crm to 2.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the W3SC Elementor to Zoho CRM WordPress plugin up to version 2.2.0. It occurs because the plugin lacks proper nonce validation on the storeInfo function. Attackers can exploit this by tricking an administrator into clicking a malicious link, which allows them to change the plugin's Zoho CRM settings, including data center, client ID, client secret, and user email credentials.

Detection Guidance

This vulnerability can be detected by checking if the W3SC Elementor to Zoho CRM plugin is installed and active on your WordPress site. Review the plugin version to confirm if it is up to date (vulnerable if <= 2.2.0). Inspect server logs for suspicious requests targeting the storeInfo function or unusual modifications to Zoho CRM integration settings.

Impact Analysis

If exploited, this vulnerability could allow attackers to take control of the plugin's Zoho CRM integration. This might lead to unauthorized access to CRM data, potential data breaches, or manipulation of business workflows. Users could face compromised customer data or operational disruptions if the attacker modifies settings.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR or HIPAA if it results in unauthorized access or exposure of personal or sensitive data. GDPR requires protecting personal data, while HIPAA mandates safeguarding health information. A breach could trigger legal penalties, fines, or reputational damage due to compromised data integrity.

Mitigation Strategies

Immediately update the W3SC Elementor to Zoho CRM plugin to the latest version if available. If no update exists, consider disabling or removing the plugin until a patch is released. Implement additional security measures such as restricting administrative access and monitoring for unauthorized changes to plugin settings.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart