Stored Cross-Site Scripting in Freshsales Integration for WordPress
CVE-2026-8901
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 June 2026
What is CVE-2026-8901?
The Freshsales Integration for Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is susceptible to Stored Cross-Site Scripting through Form Submission Data in all versions up to and including 1.0.15. This vulnerability arises from inadequate input sanitization and output escaping, enabling unauthenticated attackers to inject malicious web scripts into pages. The exploit triggers when a CRM API call fails for the submitted form, leading to the execution of the malicious payload when an administrator views relevant error log details in the WordPress admin panel.
Affected Version(s)
Integration for Freshsales β Contact Form 7, WPForms, Elementor, Gravity Forms and More 0 <= 1.0.15