Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper sanitization of user input in the HT Contact Form 7 plugin allows stored XSS. Malicious scripts can be submitted through the form and subsequently rendered unescaped to anyone who views the affected page.

Affected Systems

HT Plugins’ HT Contact Form 7 is vulnerable from its earliest release through version 2.8.2. All WordPress sites using this plugin version or earlier are affected. The vulnerability pertains to the form submission interface.

Risk and Exploitability

The CVSS base score of 7.1 denotes high severity, indicating that an attacker can exploit the flaw remotely via the web form without needing additional access. EPSS is not available and the flaw is not listed in CISA KEV. The attack vector is external, with the payload persisting in the site's database until removed.

Generated by OpenCVE AI on May 27, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HT Contact Form 7 plugin to version 2.8.3 or later, which removes the stored XSS flaw.
  • If an upgrade is not immediately possible, deactivate the plugin or restrict form submissions to trusted administrators until a patch is applied.
  • Apply a site‑wide Content Security Policy that restricts script sources to the same origin and blocks inline script execution, reducing the damage of any remaining payloads.

Generated by OpenCVE AI on May 27, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2.
Title WordPress HT Contact Form 7 plugin <= 2.8.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:52:52.098Z

Reserved: 2026-04-29T09:05:20.867Z

Link: CVE-2026-42728

cve-icon Vulnrichment

Updated: 2026-05-27T10:52:46.947Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:19.180

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses