CVE-2026-2568 - Vulnerability Details

- WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting

Description

The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission data in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-03-03

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Zendesk plugin allows attackers without authentication to submit form data that is stored and later rendered without proper sanitization. This flaw enables injection of arbitrary web scripts into stored form entries, which execute whenever any user views the affected page, potentially compromising user browsers or facilitating credential theft.

Affected Systems

All WordPress sites using the WP Zendesk plugin version 1.1.5 or older on the wp‑contact‑form‑7, wpforms, elementor, formidable, and ninja forms integrations are affected. The vulnerability is tied to the plugin’s processing of form submission data, regardless of site-specific customizations.

Risk and Exploitability

The flaw carries a CVSS score of 7.2 and a very low EPSS probability of less than 1%, indicating it is currently not widely exploited. It is not listed in the CISA KEV catalog. Exploitation requires normal user interaction with a public form, but no privileged credentials are needed, making the attack vector purely unauthenticated via standard web traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

crmperks

WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.5

No data.

Vendor Product Confidence Versions

Crmperks

Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms

100%

Version	Status	Scheme	Platform
`[0,1.1.5]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WP Zendesk plugin to the latest version (post‑1.1.5) to remove the stored XSS vulnerability.
Apply a web application firewall or similar security plugin to filter and block suspicious script payloads if an update cannot be performed immediately.
Audit all stored form submissions for injected scripts and remove any malicious entries to prevent accidental execution while patching is underway.

Generated by OpenCVE AI on April 15, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00141.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3467904/
https://www.wordfence.com/threat-intel/vulnerabilities/id/27d26d1c-d027-4a22-af49-4d7684d36d40?source=cve

History

Wed, 04 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Crmperks Crmperks wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms Wordpress Wordpress wordpress
Vendors & Products		Crmperks Crmperks wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms Wordpress Wordpress wordpress

Tue, 03 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission data in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3467904/ https://www.wordfence.com/threat-intel/vulnerabilities/id/27d26d1c-d027-4a22-af49-4d7684d36d40?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Crmperks Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-03T09:24:12.272Z

Updated: 2026-04-08T16:42:59.062Z

Reserved: 2026-02-15T21:12:03.516Z

Link: CVE-2026-2568

Vulnrichment

Updated: 2026-03-03T14:49:16.889Z

NVD

Status : Deferred

Published: 2026-03-03T10:16:06.473

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-2568

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object