HIGH
htplugins
CVE published 2026-05-28
CVE-2026-7052
HT Contact Form – Drag & Drop Form Builder for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'file_upload' parameter in versions up to and including 2.8.2. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. Exploitation requires the 'Store Submissions' setting to be enabled, which persists unsanitized field values to [truncated]