CVE-2026-8901 - Vulnerability Details

Description

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.

Published: 2026-06-06

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The plugin fails to sanitize and escape form submission data that is stored in an error log. When a CRM API call fails and an administrator opens the error‑log modal, the injected script is executed in the administrator’s browser. This allows an unauthenticated attacker to run arbitrary JavaScript in the context of an authenticated administrator, which can be used to steal session data, deface the site, or perform privileged actions without further authentication.

Affected Systems

WordPress installations that use the "Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More" plugin, versions up to and including 1.0.15. Any site consuming forms from this plugin and displaying error‑log modals is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high risk. No EPSS score is published, so the current exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog, but the lack of authentication on the attack vector and the high impact of exploiting an administrator’s session suggest a notable risk. An attacker can trigger the vulnerability simply by submitting a crafted form; the no‑auth prerequisite and reliance on a subsequent administrator action make the exploit straightforward for a determined attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

plugcrux

Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.15

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the plugin to version 1.0.16 or later to address the stored XSS flaw.
Disable the CRM error‑log feature or remove the plugin until a patched version is available to prevent execution of stored payloads.
Restrict access to the WordPress admin error‑log modal to trusted administrators only, and consider configuring the plugin to suppress error logging for unauthenticated form submissions.

Generated by OpenCVE AI on June 6, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/assets/js/error-log.js#L84
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/db/fw-error-log.php#L75
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/forms/submit-action.php#L555
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/product/fw-errorlog-action.php#L178
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/assets/js/error-log.js#L84
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/db/fw-error-log.php#L75
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/forms/submit-action.php#L555
https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/product/fw-errorlog-action.php#L178
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552999%40crm-integration-freshworks-any-form&new=3552999%40crm-integration-freshworks-any-form&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c8cf71-e9b0-4241-b975-f52aeb823318?source=cve

History

Sat, 06 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.
Title		Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/assets/js/error-log.js#L84 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/db/fw-error-log.php#L75 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/forms/submit-action.php#L555 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/product/fw-errorlog-action.php#L178 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/assets/js/error-log.js#L84 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/db/fw-error-log.php#L75 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/forms/submit-action.php#L555 https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/product/fw-errorlog-action.php#L178 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552999%40crm-integration-freshworks-any-form&new=3552999%40crm-integration-freshworks-any-form&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c8cf71-e9b0-4241-b975-f52aeb823318?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-06T01:26:10.181Z

Updated: 2026-06-06T01:26:10.181Z

Reserved: 2026-05-18T21:14:42.318Z

Link: CVE-2026-8901

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-06T02:16:22.547

Modified: 2026-06-06T02:16:22.547

Link: CVE-2026-8901

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T03:30:11Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object