{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-7052/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7052"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HT Contact Form – Drag \u0026 Drop Form Builder for WordPress plugin \u003c= 2.8.2"],"_cs_severities":["medium"],"_cs_tags":["stored-xss","wordpress","plugin","CVE-2026-7052"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe HT Contact Form – Drag \u0026amp; Drop Form Builder for WordPress plugin, a popular tool for creating contact forms on WordPress websites, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-7052, this flaw affects all versions up to and including 2.8.2. The vulnerability lies within the \u0026lsquo;file_upload\u0026rsquo; parameter, where insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. Successful exploitation requires the \u0026lsquo;Store Submissions\u0026rsquo; setting to be enabled in the plugin, as this setting determines whether unsanitized field values are persisted to the database. These persisted values are then rendered without proper escaping in the admin entry viewer, leading to XSS when an administrator views the submission. This poses a significant risk to WordPress sites using the vulnerable plugin, as malicious scripts can compromise administrator accounts and potentially the entire website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing a HT Contact Form.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a JavaScript payload into the \u0026lsquo;file_upload\u0026rsquo; parameter of the form.\u003c/li\u003e\n\u003cli\u003eThe vulnerable HT Contact Form plugin processes the form submission without proper sanitization or output encoding of the \u0026lsquo;file_upload\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eIf the \u0026lsquo;Store Submissions\u0026rsquo; setting is enabled, the malicious payload is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the HT Contact Form submissions page, triggering the rendering of the stored, unsanitized \u0026lsquo;file_upload\u0026rsquo; value.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript payload executes within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the administrator\u0026rsquo;s session, potentially leading to further compromise of the WordPress website, such as plugin modification or arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Stored XSS vulnerability (CVE-2026-7052) can lead to a complete compromise of the affected WordPress website. An attacker can inject malicious JavaScript code that executes within the administrator\u0026rsquo;s browser, allowing them to steal credentials, modify website content, install malicious plugins, or redirect users to phishing sites. Given the popularity of the HT Contact Form plugin, a large number of WordPress websites are potentially vulnerable. The impact is magnified when considering that administrators typically have extensive privileges, enabling attackers to perform privileged actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the HT Contact Form – Drag \u0026amp; Drop Form Builder for WordPress plugin to the latest version (greater than 2.8.2) to patch CVE-2026-7052.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to inject malicious JavaScript code into the \u003ccode\u003efile_upload\u003c/code\u003e parameter within HTTP POST requests targeting WordPress pages with contact forms.\u003c/li\u003e\n\u003cli\u003eEnable input validation and output encoding on all user-supplied data, especially for form fields, to prevent XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, disable the \u0026lsquo;Store Submissions\u0026rsquo; setting within the HT Contact Form plugin as a temporary mitigation, albeit with reduced functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T08:18:59Z","date_published":"2026-05-28T08:18:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-ht-contact-form-xss/","summary":"The HT Contact Form – Drag \u0026 Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2026-7052) via the 'file_upload' parameter in versions up to 2.8.2, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"HT Contact Form WordPress Plugin Vulnerable to Stored XSS (CVE-2026-7052)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-ht-contact-form-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-7052","version":"https://jsonfeed.org/version/1.1"}