HIGH 7.2

CVE-2026-8901: Stored XSS in Freshsales Integration Plugin for WordPress (1.0.15 and Earlier)

A WordPress plugin called 'Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.0.15. Attackers can inject malicious scripts through form submissions. The injected code executes when a form submission fails to reach the CRM API and an administrator later views the error details in the WordPress admin dashboard. This affects any WordPress site using the vulnerable plugin versions without requiring the attacker to be logged in.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.

10 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's form submission handling. When form data is processed and a CRM API call fails, the plugin stores the unescaped submission data. This data is later rendered in an admin-level error log modal without proper HTML encoding. An unauthenticated attacker can craft a form submission containing JavaScript payloads in any form field. If the API call fails (a condition the attacker may trigger or wait for naturally), the payload persists in the database as stored XSS. Execution occurs in the administrative context when a site administrator accesses the error details, allowing the attacker's script to run with the privileges of that admin user.

Business impact

Sites using this plugin are at risk of admin account compromise, unauthorized configuration changes, and data theft. Because the payload executes in the admin panel, attackers can potentially modify plugin settings, create backdoor accounts, or extract sensitive configuration data. For organizations using the plugin to integrate WordPress forms with Freshsales CRM, compromised admin sessions could expose form submission data and disrupt CRM synchronization workflows. The attack requires an administrator to view the error log, creating an indirect but persistent risk for any site with stored malicious payloads.

Affected systems

Any WordPress installation running the 'Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More' plugin in version 1.0.15 or earlier is vulnerable. The plugin is designed to work with multiple popular form builders (Contact Form 7, WPForms, Elementor, Gravity Forms), so the scope of affected installations is potentially broad among WordPress sites using these form solutions. The vulnerability does not require any specific configuration; it affects all installations of the vulnerable versions.

Exploitability

Exploitation requires no authentication and no special user interaction beyond normal form submission. An attacker simply submits a form with malicious JavaScript payloads and waits for (or engineers) an API failure condition. The barrier to triggering an API failure may be low—network issues, credential misconfigurations, or intentional rate-limiting could cause failures. However, the payload only executes when an administrator accesses the error log modal, introducing a latency dependency. The attack is feasible but depends on admin activity; it is not instantaneous like reflected XSS. The CVSS 3.1 score of 7.2 (HIGH) reflects the network-accessible, low-complexity attack vector balanced against the requirement for an admin to view the error log.

Remediation

Update the 'Integration for Freshsales' plugin to a version released after 1.0.15 that includes fixes for input sanitization and output escaping. Site administrators should check the plugin's official WordPress.org repository or the vendor's advisory for the patched version number. Until patched, site owners may consider disabling the plugin if form-to-CRM functionality is not critical, or restricting form access to authenticated users only to reduce attack surface. Review error logs and admin activity logs to detect any stored XSS payloads that may have been injected during the vulnerable period.

Patch guidance

Verify the patched version against the plugin vendor's official security advisory on WordPress.org. Once a fixed version is released, use WordPress's built-in plugin update mechanism to upgrade directly. After updating, verify that form submissions and CRM API integrations continue to function correctly, especially error handling. Test with non-production form submissions first if possible. If automatic updates are enabled, ensure the site is monitored during the update process.

Detection guidance

Search the WordPress admin error logs and database for form submission data containing script tags, event handlers (e.g., 'onerror=', 'onclick='), or other JavaScript patterns in stored form fields. Use your WordPress security plugin (if installed) to scan for XSS vulnerabilities. Check the plugin version reported in wp-admin and log any form submissions that occurred before patching. If the plugin exposes error logs via REST API or other interfaces, audit those endpoints for exposed payload data. Review admin access logs for any suspicious account activity or configuration changes that coincided with plugin updates or error log access.

Why prioritize this

Prioritize this vulnerability for patching because it affects a commonly-used WordPress integration plugin, requires no authentication or complex setup to exploit, and can lead to admin account compromise. Although execution depends on admin activity, the persistence of stored XSS means the risk accumulates over time as attackers inject payloads into form submissions. The cross-site impact (as indicated by the CVSS vector 'S:C') means a single compromised admin session could affect the entire site. For organizations with active form submissions and regular admin oversight, the attack surface is measurable and real.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH severity) reflects a network-accessible vulnerability with low attack complexity and no privileges required. The scope is changed (S:C), meaning the impact extends beyond the vulnerable component to the entire WordPress site and its users. Confidentiality and Integrity are impacted (C:L, I:L) via admin account compromise, while Availability is not affected (A:N). The score balances the relative ease of injection against the practical requirement that an admin must view the error log—a constraint that does not reduce the base score but is mitigated through network segmentation and access controls.

Frequently asked questions

Do I need to have submitted a form for this vulnerability to affect me?

No. An attacker can submit a malicious form without any legitimate form submission from a user. The attacker simply crafts the malicious payload themselves and submits it. However, if the form submission triggers a CRM API failure (which the attacker cannot always control), the payload must persist in the system until an administrator views the error log.

If I disable CRM API integration, am I protected?

Disabling CRM integration reduces the likelihood of API failures that cause payloads to be stored, but it does not address the underlying sanitization flaw. If existing payloads are in the database or if the integration is re-enabled, the vulnerability remains. The proper fix is to update the plugin to a patched version.

What is the difference between stored and reflected XSS, and why does this matter for prioritization?

Reflected XSS executes once per malicious link, requiring the victim to click a specific crafted URL. Stored XSS persists in the database and executes every time the vulnerable page is accessed, affecting all admins who view the error log indefinitely. Stored XSS is typically considered more dangerous because it accumulates and affects multiple users over time. This vulnerability is stored XSS in an admin panel, which elevates the risk significantly.

Will my site be protected if I restrict form access to logged-in users only?

This reduces but does not eliminate risk. Logged-in users could still inject payloads if they have access to the vulnerable form. However, it does narrow the attack surface by preventing completely unauthenticated submissions. For defense-in-depth, combine this with prompt patching of the plugin.

This analysis is based on the CVE description and publicly available information as of the publication date. Patch availability, version numbers, and remediation steps should be verified against the official WordPress.org plugin page and the vendor's security advisory. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct internal testing before deploying patches to production environments. SEC.co assumes no liability for the accuracy of third-party vendor disclosures or the completeness of available updates. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).