WordPress · Integration For Freshsales · CVE-2026-8901
**Name of the Vulnerable Software and Affected Versions**
Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress versions prior to 1.0.16
**Description**
Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Stored Cross-Site Scripting (XSS), which is a method of injecting malicious scripts into a web application that are then stored and executed in the browser of other users. The issue occurs via form submission data. The injected payload executes when a CRM API call for a submitted form fails and an administrator views the error log details modal within the WordPress admin panel.
**Recommendations**
Update the plugin to a version later than 1.0.15.