CVE-2026-7052: Stored XSS in HT Contact Form WordPress Plugin (v2.8.2 & Earlier)
HT Contact Form, a popular WordPress form builder plugin, contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 2.8.2. An unauthenticated attacker can inject malicious scripts through file upload fields that persist in the database and execute in administrators' browsers when viewing form submissions. The vulnerability requires the 'Store Submissions' setting to be enabled—a common configuration. This is a stored rather than reflected attack, making it more dangerous because the payload remains active until manually removed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7052 is a stored XSS vulnerability (CWE-79) in the HT Contact Form plugin stemming from insufficient input sanitization and output escaping of the 'file_upload' parameter. When form submissions are stored (controlled by the 'Store Submissions' setting), unsanitized field data is rendered in the WordPress admin entry viewer using dangerouslySetInnerHTML, allowing arbitrary JavaScript execution. The vulnerability is network-accessible, requires no authentication, and affects all versions up to and including 2.8.2. CVSS 3.1 score: 7.2 (HIGH).
Business impact
Administrators of sites running vulnerable versions risk account compromise, credential theft, and lateral movement into WordPress infrastructure. Attackers can inject malicious scripts that steal session tokens, trigger plugin installations, modify site content, or redirect visitors to phishing pages. For multi-site or enterprise WordPress deployments, a single compromised form can expose multiple administrative accounts. The attack surface is broad because contact forms are ubiquitous, and many sites leave 'Store Submissions' enabled by default for compliance and customer service workflows.
Affected systems
WordPress sites using HT Contact Form – Drag & Drop Form Builder plugin version 2.8.2 and earlier are affected. Vulnerability requires the 'Store Submissions' feature to be enabled. Sites that have disabled this setting or use alternative form builders are not impacted. The plugin is widely distributed; administrators should verify installation status via the WordPress admin dashboard or plugin audit tools.
Exploitability
Exploitability is high. No authentication is required; an attacker can submit a malicious form from the public internet. Once injected, the payload persists in the database and executes automatically whenever an administrator views submissions. No special user interaction is needed beyond normal admin activity. However, the attack requires that 'Store Submissions' be enabled—if disabled, submissions are not persisted and the vulnerability cannot be exploited in that configuration.
Remediation
Upgrade HT Contact Form to a patched version released after 2.8.2 (verify against the official plugin repository or vendor advisory for the specific version number). If an immediate upgrade is not possible, disable the 'Store Submissions' setting in plugin configuration to prevent payload persistence. Additionally, audit existing form submissions in the database for suspicious content, and consider temporarily deactivating the plugin if it is not actively in use. Clear browser caches and invalidate admin sessions to remove any cached malicious scripts.
Patch guidance
Contact the plugin vendor or check the WordPress.org plugin repository for the latest security update. Updates typically address the vulnerability by implementing proper input sanitization and output escaping for all user-supplied form fields. Verify the update version number in the plugin advisory before deployment. Test patched versions in a staging environment first to ensure compatibility with custom forms and integrations. After upgrading, re-enable 'Store Submissions' if it was disabled as a temporary mitigation.
Detection guidance
Monitor form submission logs and database entries for unusual JavaScript patterns, event handlers (e.g., onerror, onclick), or HTML tags within file_upload fields. Review admin audit logs for unexpected script execution or admin session anomalies. Use WordPress security plugins to detect stored XSS signatures in post meta and form submission data. Search for payloads containing common XSS vectors: <script>, javascript:, onerror=, and event handler attributes. Implement Web Application Firewall (WAF) rules to detect and block form submissions containing unescaped HTML or script tags targeting this parameter.
Why prioritize this
This is a HIGH-priority vulnerability due to the combination of high CVSS score (7.2), broad attack surface (public-facing forms requiring no authentication), and direct impact on administrative accounts. The stored nature of the XSS increases persistence and likelihood of successful exploitation. Given the ubiquity of contact forms in WordPress ecosystems, widespread plugin adoption, and ease of exploitation, this should be treated as critical for any organization running affected versions with 'Store Submissions' enabled.
Risk score, explained
CVSS 3.1 score of 7.2 reflects: (1) network-accessible attack vector, (2) low attack complexity (no special conditions required), (3) no privileges or user interaction needed for payload injection, (4) scope changed (impact extends beyond vulnerable component to admin interface), and (5) confidentiality and integrity impact (unauthorized script execution, data theft, account compromise). The score would be higher if availability were impacted or if the attack required authentication.
Frequently asked questions
Does this vulnerability affect my site if I use a different form plugin?
No. This vulnerability is specific to HT Contact Form – Drag & Drop Form Builder. If you use WPForms, Gravity Forms, Forminator, or other form builders, you are not affected by CVE-2026-7052. Always verify the exact plugin name and version in your WordPress admin dashboard.
Can I use this form plugin safely if I disable 'Store Submissions'?
Disabling 'Store Submissions' prevents the payload from being persisted to the database, which blocks this particular exploit path. However, this is a temporary mitigation only. You should still upgrade to a patched version as soon as possible, as the underlying input sanitization vulnerability could potentially be exploited through other vectors or in future plugin versions.
How do I know if my site has been exploited?
Check for suspicious JavaScript, HTML tags, or event handlers in your form submission records (typically stored in the WordPress database or plugin data tables). Review WordPress admin audit logs for unexpected script execution or unauthorized administrative actions. Use a WordPress security scanner to detect malicious content in post meta. If unsure, engage a professional security auditor to perform a forensic review.
What should I do if I cannot update the plugin immediately?
As immediate mitigation, disable the 'Store Submissions' setting to prevent payload persistence. Deactivate the plugin entirely if it is not actively needed. Monitor form submissions closely for suspicious content. Restrict admin dashboard access to trusted IP addresses using a WAF or server-level rules. Plan an emergency update as soon as a patched version becomes available. Do not leave this vulnerability unaddressed in production environments.
This analysis is provided for informational purposes to support security decision-making. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Verify all patch version numbers, compatibility details, and vendor advisories directly with the HT Contact Form official repository or vendor before deploying updates. CVSS scores are subject to change and should be re-evaluated if vendor information is updated. Organizations are responsible for assessing their own exposure, testing patches in staging environments, and implementing mitigations appropriate to their risk tolerance and infrastructure. This document does not constitute legal advice or official guidance from any government or standards body. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)