CVE-2026-7052 htplugins CVE debrief

Who should care

WordPress site administrators using HT Contact Form plugin, security teams monitoring WordPress plugin vulnerabilities, and developers maintaining custom form implementations with similar submission storage patterns

Technical summary

The vulnerability exists in the file_upload parameter handling where user-supplied input is stored without adequate sanitization. When 'Store Submissions' is enabled, form data including the malicious file_upload value is persisted to the database. The admin entry viewer component renders this data using dangerouslySetInnerHTML, executing injected scripts in the administrator's browser context. Attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed for the stored payload to execute when an admin views the entry.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade HT Contact Form plugin to version 2.8.3 or later
• Disable 'Store Submissions' setting if not required as an immediate mitigation
• Review admin entry viewer for any suspicious script injections
• Implement Content Security Policy headers to mitigate XSS impact
• Audit form submission data for unexpected script content

Evidence notes

Vulnerability confirmed via WordPress plugin repository source code analysis. Multiple source references identify specific file locations in both tagged version 2.8.2 and trunk where insufficient sanitization occurs. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N supports network attack vector with no privileges required. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the primary weakness classification.

Official resources