Description
The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.
Published: 2026-05-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HT Contact Form plugin includes a stored XSS flaw in the file_upload field, where uploaded data is not properly sanitized or escaped before being saved to the database. When the "Store Submissions" option is enabled, the unsanitized input is later rendered by the admin entry viewer using dangerouslySetInnerHTML, causing any stored script to run in a visitor’s browser. This allows an unauthenticated attacker to deliver arbitrary JavaScript that executes with the privileges of the range of users who can view the entry page, enabling data theft, session hijacking, or further site compromise.

Affected Systems

This vulnerability affects WordPress sites running the HT Contact Form – Drag & Drop Form Builder for WordPress plugin (htplugins) with any version up to and including 2.8.2. The flaw is present in all releases prior to the patch that removed the vulnerable code path.

Risk and Exploitability

The technical score for this issue is CVSS 3.1 7.2, indicating a high severity. No EPSS data is provided, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the "Store Submissions" setting to be active, but the attack vector is any attacker who can submit a form with a crafted file_upload value. Because the malicious code is stored and later rendered, the impact is carried out from the victim’s browser each time an entry is viewed, making it a serious threat especially for administrators or other users with entry‑viewer access.

Generated by OpenCVE AI on May 28, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to at least version 2.8.3, where the vulnerable code path has been removed.
  • If an upgrade cannot be performed immediately, disable the "Store Submissions" setting so that file_upload values are not persisted or rendered in the admin entry viewer.
  • Configure the plugin or the server to allow file uploads only from trusted sources or to reject all uploads from unauthenticated users, ensuring that any uploaded content is discarded before storage.

Generated by OpenCVE AI on May 28, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.
Title HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:33:10.091Z

Reserved: 2026-04-25T18:47:55.013Z

Link: CVE-2026-7052

cve-icon Vulnrichment

Updated: 2026-05-28T10:33:02.367Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:36.603

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:30:06Z

Weaknesses