High severity7.2NVD Advisory· Published May 28, 2026

CVE-2026-7052

Description

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The HT Contact Form plugin (all versions up to 2.8.2) lacks sanitization of file_upload parameters, leading to stored XSS when submissions are viewed by admins.

Vulnerability

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.8.2. The vulnerability resides in the file_upload parameter processed by the submit_form callback in admin/Includes/Api/Endpoints/Submission.php [1][2]. Insufficient input sanitization and output escaping allow arbitrary JavaScript to be injected. The flaw is only exploitable when the "Store Submissions" setting is enabled, which persists form data to the database [1]. The REST endpoint /submission is publicly accessible with no authentication required (check_permission returns true) [3].

Exploitation

An unauthenticated attacker can send a POST request to the /submission REST endpoint with a crafted file_upload parameter containing XSS payloads. No prior authentication or special privileges are needed [3]. The attacker must ensure that the site has the "Store Submissions" setting active, as this is required for the input to be stored and later rendered. Once stored, the payload executes when an administrator views the submission entry in the admin area, where dangerouslySetInnerHTML is used to render the unsanitized field [1].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the WordPress admin interface. An attacker can steal session cookies, modify page content, or perform actions on behalf of an administrator, potentially leading to full site compromise. The confidentiality, integrity, and availability of the WordPress installation are at risk, with the attacker gaining the ability to execute scripts with admin-level privileges.

Mitigation

As of the publication date (2026-05-28), no patched version has been released. Users should disable the "Store Submissions" setting if it is enabled, as this prevents the persistence of unsanitized data and blocks the attack vector. Administrators are advised to monitor the plugin's update channel for a fixed release. The vulnerability has not been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.

References

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Ht Contactforminferred
Range: <=2.8.2
Package: https://wordpress.org/plugins/ht-contactform
Stephen Ostermiller/Contact Formllm-fuzzy
Range: <=2.8.2

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient input sanitization in the `file_upload` field type — `esc_url_raw()` does not remove HTML/JavaScript payloads, and stored values are later rendered via `dangerouslySetInnerHTML` without output escaping."

Attack vector

An unauthenticated attacker submits a POST request to the `/submission` REST endpoint with a `file_upload` field containing arbitrary JavaScript (e.g., `javascript:alert(1)` or a data URI). The `check_permission()` callback unconditionally returns `true` [ref_id=1], so no authentication is required. The payload is sanitized only with `esc_url_raw()` [ref_id=1], which does not strip script content. When the 'Store Submissions' setting is enabled, the unsanitized value is persisted to the database and later rendered via `dangerouslySetInnerHTML` in the admin entry viewer, causing stored XSS that executes in the context of any administrator who views the entry.

Affected code

The vulnerability exists in the `sanitize_data()` method of the `Submission.php` REST API endpoint handler. The `file_upload` and `image_upload` field types are sanitized using `esc_url_raw()` [ref_id=1], which only escapes URLs and does not remove HTML or JavaScript payloads. The stored values are later rendered via `dangerouslySetInnerHTML` in the admin entry viewer without further output escaping.

What the fix does

The advisory does not include a patch diff. To remediate, the plugin should apply proper HTML sanitization (e.g., `wp_kses()` or `sanitize_text_field()`) to `file_upload` and `image_upload` field values instead of relying solely on `esc_url_raw()`. Additionally, the admin entry viewer should avoid using `dangerouslySetInnerHTML` to render stored field values, or should escape output before rendering. Until a fix is applied, disabling the 'Store Submissions' setting prevents the stored XSS from triggering.

Preconditions

configThe 'Store Submissions' setting must be enabled in the plugin configuration.
networkThe attacker must be able to reach the public REST API endpoint for form submission.
authNo authentication is required; the endpoint's permission callback returns true for all requests.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000