Description
The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.
Published: 2026-06-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to sanitize and escape form submission data that is stored in an error log. When a CRM API call fails and an administrator opens the error‑log modal, the injected script is executed in the administrator’s browser. This allows an unauthenticated attacker to run arbitrary JavaScript in the context of an authenticated administrator, which can be used to steal session data, deface the site, or perform privileged actions without further authentication.

Affected Systems

WordPress installations that use the "Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More" plugin, versions up to and including 1.0.15. Any site consuming forms from this plugin and displaying error‑log modals is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high risk. No EPSS score is published, so the current exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog, but the lack of authentication on the attack vector and the high impact of exploiting an administrator’s session suggest a notable risk. An attacker can trigger the vulnerability simply by submitting a crafted form; the no‑auth prerequisite and reliance on a subsequent administrator action make the exploit straightforward for a determined attacker.

Generated by OpenCVE AI on June 6, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 1.0.16 or later to address the stored XSS flaw.
  • Disable the CRM error‑log feature or remove the plugin until a patched version is available to prevent execution of stored payloads.
  • Restrict access to the WordPress admin error‑log modal to trusted administrators only, and consider configuring the plugin to suppress error logging for unauthenticated form submissions.

Generated by OpenCVE AI on June 6, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Plugcrux
Plugcrux integration For Freshsales – Contact Form 7, Wpforms, Elementor, Gravity Forms And More
Wordpress
Wordpress wordpress
Vendors & Products Plugcrux
Plugcrux integration For Freshsales – Contact Form 7, Wpforms, Elementor, Gravity Forms And More
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.
Title Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Plugcrux Integration For Freshsales – Contact Form 7, Wpforms, Elementor, Gravity Forms And More
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:44:54.182Z

Reserved: 2026-05-18T21:14:42.318Z

Link: CVE-2026-8901

cve-icon Vulnrichment

Updated: 2026-06-06T11:44:49.088Z

cve-icon NVD

Status : Deferred

Published: 2026-06-06T02:16:22.547

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-8901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:21Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')