Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The HT Contact Form - Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.
AnalysisAI
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
Technical ContextAI
The vulnerability resides in HT Contact Form's submission handling code (admin/Includes/Api/Endpoints/Submission.php and admin/Includes/Models/Entries.php), where user-supplied values from the 'file_upload' form field are accepted via a public REST API endpoint without proper sanitization, then later rendered in the React-based admin interface (admin/dist/bundle.js) using dangerouslySetInnerHTML. This pattern bypasses React's default XSS protections by treating the persisted string as raw HTML. The root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored variant where untrusted persistent storage is later concatenated into a privileged DOM context. The CPE identifies the affected component as cpe:2.3:a:htplugins:ht_contact_form_-_drag_&_drop_form_builder_for_wordpress:*.
RemediationAI
Upstream fix available (changeset 3521197 in the plugin's trunk on plugins.trac.wordpress.org); released patched version not independently confirmed in the provided data, so administrators should upgrade to the latest version published on the WordPress plugin directory beyond 2.8.2 and consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/edb0ee0c-1eab-4988-9eb6-cc0c253fee15?source=cve for the exact fixed release. As a workaround until patching, disable the 'Store Submissions' setting in the plugin configuration to prevent unsanitized field values from being persisted and later rendered - note the trade-off is loss of in-database submission history, so ensure forms are configured to email submissions instead. Alternatively, deactivate the plugin or restrict access to the wp-json REST endpoint that accepts submissions via a WAF rule that strips HTML/script content from the 'file_upload' parameter, accepting the side effect of potential false positives on legitimate filenames containing special characters.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32740
GHSA-jvfv-xgr4-q7p3