Logo
Retour à la veille

CVE-2026-8901

Publié : 6 juin 2026
Modifié : 6 juin 2026
Lien officiel NVD
Score CVSS
7.2
HIGH

Description détaillée

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Références et Patchs

https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/assets/js/error-log.js#L84https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/db/fw-error-log.php#L75https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/forms/submit-action.php#L555https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/product/fw-errorlog-action.php#L178https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/assets/js/error-log.js#L84https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/db/fw-error-log.php#L75https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/forms/submit-action.php#L555https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/product/fw-errorlog-action.php#L178https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552999%40crm-integration-freshworks-any-form&new=3552999%40crm-integration-freshworks-any-form&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c8cf71-e9b0-4241-b975-f52aeb823318?source=cve

Dernières Vulnérabilités

CVE-2026-9280

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.

VOIR DÉTAILS

CVE-2026-9197

The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

VOIR DÉTAILS

CVE-2026-8991

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VOIR DÉTAILS