CVE-2026-7052 Overview
CVE-2026-7052 is a Stored Cross-Site Scripting (XSS) vulnerability in the HT Contact Form – Drag & Drop Form Builder plugin for WordPress. The flaw affects all versions up to and including 2.8.2. Unauthenticated attackers can inject arbitrary web scripts through the file_upload parameter due to insufficient input sanitization and output escaping. Persisted payloads execute when an administrator opens the entry viewer in the WordPress admin interface. The vulnerability is classified under CWE-79.
Critical Impact
Unauthenticated attackers can store malicious JavaScript that executes in administrator browsers, enabling session theft, privilege escalation through forced actions, and full site compromise when admins view captured form submissions.
Affected Products
- HT Contact Form – Drag & Drop Form Builder for WordPress (all versions through 2.8.2)
- WordPress sites with the plugin's Store Submissions setting enabled
- WordPress admin entry viewer rendering submission data via dangerouslySetInnerHTML
Discovery Timeline
- 2026-05-28 - CVE-2026-7052 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-7052
Vulnerability Analysis
The HT Contact Form plugin exposes a REST endpoint that accepts form submissions, including a file_upload field. The submission handler defined in admin/Includes/Api/Endpoints/Submission.php accepts the field value without applying sufficient sanitization before persistence. The plugin's Entries model at admin/Includes/Models/Entries.php stores the unsanitized value directly in the database when the Store Submissions setting is enabled.
When an administrator opens the entry viewer in the WordPress dashboard, the React-based admin bundle in admin/dist/bundle.js renders the stored field value using the dangerouslySetInnerHTML prop. This prop bypasses React's default escaping, causing the attacker-controlled payload to be interpreted as HTML and JavaScript in the administrator's authenticated session.
Root Cause
The root cause is twofold. The server-side submission handler fails to escape or strip HTML and script content from the file_upload field. The client-side admin viewer compounds the issue by intentionally bypassing React's XSS protections through dangerouslySetInnerHTML. Both controls must be present to render submission data safely. The fix delivered in changeset 3521197 addresses sanitization at the persistence boundary.
Attack Vector
An unauthenticated attacker submits a form containing a crafted file_upload value embedding HTML and JavaScript. The submission endpoint accepts the payload over the network with no authentication or user interaction. The payload is written to the WordPress database. Execution occurs when a privileged user, typically a site administrator, opens the entry viewer to review submissions. The injected script runs in the admin browser under the WordPress origin, granting access to nonces, cookies, and the REST API. Exploitation requires that the Store Submissions setting be enabled on the targeted form.
Detection Methods for CVE-2026-7052
Indicators of Compromise
- Form submission entries containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...> in the file_upload field
- Unexpected administrator account creation or role changes following access to the HT Contact Form entry viewer
- Outbound requests from administrator browsers to attacker-controlled domains after viewing submissions
- POST requests to the plugin's submission REST endpoint with oversized or HTML-laden file_upload payloads
Detection Strategies
- Inspect the plugin's submissions table for stored values containing angle brackets, JavaScript event handlers, or encoded script content
- Monitor WordPress access logs for POST requests to /wp-json/ endpoints exposed by ht-contactform that include suspicious file_upload content
- Audit administrator session activity for actions that immediately follow opening the HT Contact Form entry viewer
Monitoring Recommendations
- Enable WordPress audit logging to record administrator views of plugin entries and any subsequent privileged actions
- Configure a web application firewall to log and alert on submission payloads containing script tags or event handler attributes
- Track plugin version inventory across managed WordPress sites and flag instances running 2.8.2 or earlier
How to Mitigate CVE-2026-7052
Immediate Actions Required
- Update the HT Contact Form plugin to the version released in changeset 3521197 or later
- If patching is not immediately possible, disable the Store Submissions setting on all forms to prevent persistence of unsanitized values
- Review existing entries and purge any submissions containing HTML or script content from the database
- Rotate administrator session cookies and verify no unauthorized accounts or role changes occurred
Patch Information
The vendor fix is published in the WordPress plugin repository. Refer to the WordPress HT Contact Form Changeset and the Wordfence Vulnerability Report for technical details on the corrected sanitization logic.
Workarounds
- Disable the HT Contact Form plugin entirely until the patched version is deployed
- Deploy WAF rules that strip or block HTML tags and JavaScript event handlers in file_upload form fields submitted to the plugin endpoint
- Restrict access to the WordPress admin entry viewer to a hardened administrative workstation or jump host
- Apply Content Security Policy headers that disallow inline script execution in the WordPress admin interface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
