How is CVE-2026-8901 exploited?

Network reachability (required): The attacker submits a malicious payload via a web form exposed over the network; no internal or adjacent-network position is required. Authentication (not-required): The injected payload is delivered through publicly accessible form submissions, requiring no account or login on the target site. Victim interaction (required): The payload executes only when a logged-in WordPress administrator opens the error log details modal in the admin panel, making administrator interaction a necessary condition for exploit success. Attack complexity (info): Exploitation is reliable and requires no race condition or special environmental alignment; the attacker submits a crafted form value and waits for an administrator to trigger execution.

What is the impact of CVE-2026-8901?

Reads the administrator's active browser session tokens, enabling account takeover of the WordPress admin account. Injects additional scripts into the admin panel that can create rogue administrator accounts or exfiltrate stored credentials and API keys visible on admin pages. Modifies site content or plugin settings via authenticated admin actions silently performed within the hijacked browser session.

Back to search

HIGHCVE-2026-8901Published 2026-06-06Modified 2026-06-06CNA Wordfence

CVE-2026-8901: Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data

Q: What is CVE-2026-8901?

Stored cross-site scripting (XSS) in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows an unauthenticated remote attacker to inject malicious JavaScript through form submission data. The payload is stored server-side and executes when a WordPress administrator opens the error log details modal in the admin panel after a failed CRM API call. Successful exploitation lets the attacker run arbitrary scripts in the administrator's browser session, enabling session hijacking, credential theft, or unauthorized admin actions. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-8901 patched?

Because no upstream fix version has been published for CVE-2026-8901, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin release appears. In the interim, findings remain open and visible in the HarborGuard dashboard so teams can apply compensating controls while monitoring for upstream patch availability.

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows an unauthenticated remote attacker to inject malicious JavaScript through form submission data. The payload is stored server-side and executes when a WordPress administrator opens the error log details modal in the admin panel after a failed CRM API call. Successful exploitation lets the attacker run arbitrary scripts in the administrator's browser session, enabling session hijacking, credential theft, or unauthorized admin actions. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-8901 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle this plugin. Any image found to carry the Integration for Freshsales plugin at version 1.0.15 or earlier is flagged immediately.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 7.2 (HIGH), weighted against each customer organization's compliance policy, and routes findings to the appropriate team inbox. Per-environment policy configuration allows security and development teams to set escalation thresholds that reflect their own risk tolerance for unpatched, network-exposed XSS vulnerabilities.

Available

Patch

Because no upstream fix version has been published for CVE-2026-8901, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin release appears. In the interim, findings remain open and visible in the HarborGuard dashboard so teams can apply compensating controls while monitoring for upstream patch availability.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker submits a malicious payload via a web form exposed over the network; no internal or adjacent-network position is required.
AuthenticationNot required
The injected payload is delivered through publicly accessible form submissions, requiring no account or login on the target site.
Victim interactionRequired
The payload executes only when a logged-in WordPress administrator opens the error log details modal in the admin panel, making administrator interaction a necessary condition for exploit success.
Attack complexityDetail
Exploitation is reliable and requires no race condition or special environmental alignment; the attacker submits a crafted form value and waits for an administrator to trigger execution.

Blast Radius

Reads the administrator's active browser session tokens, enabling account takeover of the WordPress admin account.
Injects additional scripts into the admin panel that can create rogue administrator accounts or exfiltrate stored credentials and API keys visible on admin pages.
Modifies site content or plugin settings via authenticated admin actions silently performed within the hijacked browser session.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-8901 is actively tracked with no published fix, so the primary capability is continuous advisory monitoring. HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment the plugin vendor ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention. While no fix exists, HarborGuard recommends applying compensating controls: network-policy isolation to limit which pods or containers can serve the affected WordPress instance externally, egress filtering to block unauthorized outbound requests that a post-XSS payload might make, and feature-flag or WAF-level gating on form submission endpoints to strip or reject input containing script tags. Findings remain open and HIGH-severity in each customer's HarborGuard dashboard until an upstream patch is available.

See how HarborGuard automates this

Affected packages

plugcrux / Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More
≤ 1.0.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

Metrics

Get notified