CVE Catalog

CVE-2026-7052

High
Published: Translated: NVD NIST

Summary

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'file_upload' parameter in all versions up to and including 2.8.2 due to insufficient input sanitization and output escaping.

Risk Assessment

Unauthenticated attackers can inject arbitrary web scripts that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, allowing unsanitized field values to be persisted in the database.

Recommendation

It is recommended to update the plugin to the latest version and disable the 'Store Submissions' option to minimize the risk of XSS attacks.

Original NVD description (English source)

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS