The Integration for Freshsales plugin for WordPress suffers from a stored XSS vulnerability (CWE-79) caused by improper neutralization of input during web page generation. This allows unauthenticated attackers to inject malicious scripts through form submissions. The payload triggers when a CRM API call fails and an administrator accesses the error log details modal, potentially leading to script execution in the admin context. The vulnerability affects all versions up to 1.0.15. The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, scope changed, and low impact on confidentiality and integrity, no impact on availability. No patch or official remediation is currently documented.

Successful exploitation allows an unauthenticated attacker to execute arbitrary scripts in the context of the WordPress admin panel when an administrator views error logs after a CRM API failure. This can lead to partial confidentiality and integrity loss within the admin interface. There is no direct impact on availability. The vulnerability requires a specific failure condition and admin interaction to trigger the payload.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should exercise caution when viewing error log details modals related to CRM API failures. Restricting access to the WordPress admin panel and monitoring for suspicious form submissions may reduce risk. Avoid exposing the error log details modal to untrusted users. Follow vendor updates for official patches or mitigations.