PatchSiren cyber security CVE debrief
CVE-2026-8901 plugcrux CVE debrief
CVE-2026-8901 is a HIGH severity vulnerability (CVSS Score: 7.2) in the Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts via form submission data, which can be executed when an administrator views error log details.
- Vendor
- plugcrux
- Product
- Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of WordPress sites utilizing the Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin, especially those allowing form submissions.
Technical summary
The plugin is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. An attacker can inject web scripts that execute when a user accesses an injected page, specifically when a CRM API call fails and an administrator views the error log details modal.
Defensive priority
HIGH
Recommended defensive actions
- Update the Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin to a version beyond 1.0.15.
- Implement additional security measures such as Content Security Policy (CSP) to mitigate XSS attacks.
- Regularly monitor WordPress admin panels for suspicious activities and error logs.
Evidence notes
Evidence from Wordfence indicates that the vulnerability exists in versions up to and including 1.0.15 of the plugin. Multiple source references are provided detailing the specific lines of code that contribute to the vulnerability.
Official resources
CVE-2026-8901 was published on 2026-06-06T02:16:22.547Z and modified on 2026-06-08T14:57:14.757Z.