CVE-2026-42728

Vulnerability

The HT Contact Form 7 plugin (ht-contactform) for WordPress versions through 2.8.2 fails to properly neutralize input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability. The issue resides in the handling of form submissions where user-supplied data is not sanitized before being stored and later displayed, enabling persistent script injection. Affected versions: all versions up to and including 2.8.2 [1].

Exploitation

An attacker with the ability to submit contact forms (typically unauthenticated users, depending on the form configuration) can inject malicious JavaScript or HTML payloads into form fields. When a privileged user, such as an administrator, views the submissions in the WordPress admin panel, the payload executes in their browser session. This requires user interaction from the privileged user (e.g., visiting the submissions page) but does not require any special network position beyond standard web access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data (e.g., admin credentials). The impact is moderately severe and can facilitate mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor released version 2.8.3 which resolves the vulnerability. Users should update to 2.8.3 or later immediately [1]. As a workaround, Patchstack offers a mitigation rule that blocks attacks until the update is applied. Auto-update can be enabled for vulnerable plugins via Patchstack [1].