Stored Cross-Site Scripting Vulnerability in HT Contact Form Plugin for WordPress
CVE-2026-7052

7.2HIGH

Key Information:

Vendor: WordPress
Status: Ht Contact Form – Drag & Drop Form Builder For WordPress
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-7052?

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin contains a vulnerability that allows unauthenticated attackers to exploit the 'file_upload' parameter. This issue stems from insufficient input sanitization and output escaping in all versions up to and including 2.8.2. If the 'Store Submissions' setting is enabled, the risk is heightened as unsanitized inputs can be stored in the database and displayed through dangerouslySetInnerHTML, enabling the execution of arbitrary web scripts on pages viewed by users.

Affected Version(s)

HT Contact Form – Drag & Drop Form Builder for WordPress 0 <= 2.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ht-contactform...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 25, 2026

Credit

Azril Fathoni

CVE-2026-7052 Data

JSON