Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2.
AnalysisAI
Stored cross-site scripting in the HT Contact Form 7 (ht-contactform) WordPress plugin by HT Plugins, affecting all versions up to and including 2.8.2, lets a remote unauthenticated attacker persist malicious script that later executes in the browser of a privileged user who views the stored data. The CVSS 3.1 base score is 7.1, elevated by a changed scope (S:C), but EPSS is only 0.03% (10th percentile) and there is no public exploit identified at time of analysis. Disclosed via Patchstack (audit@patchstack.com) and tracked as ENISA EUVD-2026-32186.
Technical ContextAI
The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in a WordPress plugin. HT Contact Form 7 is an add-on from HT Plugins that extends the popular Contact Form 7 ecosystem (commonly providing Elementor styling/widgets for contact forms). The root cause is that attacker-supplied input - submitted through form fields or plugin-controlled parameters - is stored server-side and later rendered into an HTML page without adequate output encoding or input sanitization, so the browser interprets injected markup as executable script. No CPE string was supplied in the source data, so exact platform identifiers must be confirmed from the vendor/NVD entry; the affected component is the ht-contactform plugin slug on WordPress.
RemediationAI
No vendor-released patch version was identified at time of analysis from the provided data, which lists the issue as affecting through <= 2.8.2; administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ht-contactform/vulnerability/wordpress-ht-contact-form-7-plugin-2-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve) for the fixed release and upgrade to any version above 2.8.2 once published. Until a confirmed fixed version is installed, compensating controls include deploying a WordPress-aware WAF (such as Patchstack/virtual patching) with rules that strip or block HTML/script in contact-form field submissions, which may cause false positives on legitimate input containing angle brackets; restricting and reviewing form submission data so administrators view stored entries through a sanitized interface; and limiting which low-trust accounts can reach the vulnerable submission endpoint, accepting that a public contact form may need to remain open and therefore cannot be fully access-restricted. If the plugin is non-essential, deactivating and removing ht-contactform fully eliminates exposure at the cost of losing the contact-form functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32186
GHSA-9m37-mfhg-pv2m