The security loophole means that it is possible for strangers to connect to the toys and talk to children without their parents' knowledge.
A spokesperson for Vivid Imaginations, i-Que's maker, said the company was aware of recent reports on connected toys which raised security issues.
Which? is asking all retailers - such as Argos, Amazon ad Toys R Us - to stop selling smart toys with known security problems.
The group's resident hackers found they could send text and audio messages through the toys, either through their companion apps or by connecting via laptop, without a password or other form of authentication.
Which? found someone could hack CloudPets via its unsecured Bluetooth connection and make it play their own voice messages.
The investigation found that people could use a toy to communicate with a child in four out of the seven devices tested.
These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module. But the Which? investigation revealed that anyone could download the app, find a toy within Bluetooth range and start chatting using the robot's voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns.
"Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk", he said.
CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker.
It found that these toys use unsecured Bluetooth connections and it would be "too easy" for someone to use them to talk to a child.
However, Which? found the Bluetooth lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.
"Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution. If that can't be guaranteed, then the products should not be sold".
"While it may be technically possible for a third party to connect to the toys, it requires a certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".
The I-Que Intelligent Robot (left) has previously featured on Hamleys top toys Christmas list. The company insisted it would be hard to hack the toy.
It said: 'While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy.
Hasbro, manufacturer of the Furby, took issue with Which?'s test.
"A tremendous amount of engineering would be required to reverse-engineer the product as well as to create new firmware". In support of this, we also engaged a third party to perform security testing on the Furby Connect toy and Furby Connect World app.
Cloud Pets & Toy Fi - Spiral Toys declined to comment.
The British Toy & Hobby Association (BTHA) played down the significance of the Which? research.