How is CVE-2026-7052 exploited?

Network reachability (required): The attacker submits a malicious payload through the contact form over the network, with no need for local or physical access to the host. Authentication (not-required): No account or credentials are needed; any visitor who can reach the contact form can inject the malicious payload. Victim interaction (not-required): No social engineering is needed from the attacker's side at injection time; the payload executes automatically when an admin or authenticated user opens the stored submission in the WordPress admin entry viewer. Attack complexity (info): The exploit is reliable and condition-free once the 'Store Submissions' setting is enabled on the target site; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-7052?

An attacker's injected script runs in the browser session of any WordPress user who views the poisoned submission, giving access to that user's session cookies and authentication tokens. If the victim is a WordPress administrator, the script can issue authenticated requests to the WordPress admin API, creating new admin accounts, installing plugins, or modifying site content. Sensitive form submission data visible in the admin entry viewer can be read and exfiltrated to an attacker-controlled endpoint.

Back to search

HIGHCVE-2026-7052Published 2026-05-28Modified 2026-05-28CNA Wordfence

CVE-2026-7052: HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field

Q: What is CVE-2026-7052?

Stored cross-site scripting (XSS) in the HT Contact Form plugin for WordPress (versions up to and including 2.8.2) allows an unauthenticated attacker to inject malicious JavaScript through the file upload field of a contact form. The vulnerability is reachable over the network with no login required, and executes when an administrator or other user views the stored form submission in the WordPress admin panel. Successful exploitation lets an attacker run arbitrary scripts in the victim's browser session, which can be used to steal session cookies, forge admin actions, or exfiltrate data. No fix version has been published; HarborGuard tracks this advisory for patch availability.

Q: Is CVE-2026-7052 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as a fix version is released by the plugin maintainer. In the meantime, customers can use HarborGuard's compensating-control recommendations to reduce exposure while the upstream fix is pending.

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in the HT Contact Form plugin for WordPress (versions up to and including 2.8.2) allows an unauthenticated attacker to inject malicious JavaScript through the file upload field of a contact form. The vulnerability is reachable over the network with no login required, and executes when an administrator or other user views the stored form submission in the WordPress admin panel. Successful exploitation lets an attacker run arbitrary scripts in the victim's browser session, which can be used to steal session cookies, forge admin actions, or exfiltrate data. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-7052 is available across every HarborGuard environment. Vulnerability data is ingested from upstream feeds, including the Wordfence advisory feed, within minutes of publication, and matched against customer images and pipelines, including custom-built WordPress images that bundle the HT Contact Form plugin.

Available

Triage

HarborGuard scores this finding at 7.2 HIGH using the CVSS v3.1 vector from the record, and applies per-environment compliance policy weighting to determine urgency and routing. Triage results are directed to the appropriate team inbox within each customer organization based on their defined policy rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as a fix version is released by the plugin maintainer. In the meantime, customers can use HarborGuard's compensating-control recommendations to reduce exposure while the upstream fix is pending.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker submits a malicious payload through the contact form over the network, with no need for local or physical access to the host.
AuthenticationNot required
No account or credentials are needed; any visitor who can reach the contact form can inject the malicious payload.
Victim interactionNot required
No social engineering is needed from the attacker's side at injection time; the payload executes automatically when an admin or authenticated user opens the stored submission in the WordPress admin entry viewer.
Attack complexityDetail
The exploit is reliable and condition-free once the 'Store Submissions' setting is enabled on the target site; no race conditions or special environmental factors are required.

Blast Radius

An attacker's injected script runs in the browser session of any WordPress user who views the poisoned submission, giving access to that user's session cookies and authentication tokens.
If the victim is a WordPress administrator, the script can issue authenticated requests to the WordPress admin API, creating new admin accounts, installing plugins, or modifying site content.
Sensitive form submission data visible in the admin entry viewer can be read and exfiltrated to an attacker-controlled endpoint.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-7052, HarborGuard monitors the Wordfence advisory and the htplugins release channel on every ingest cycle and will surface a patched-image rebuild opportunity the moment a fix version is published. Until then, the recommended compensating controls are: restrict network access to the WordPress admin entry viewer using network policy or a web application firewall rule that blocks unauthenticated form submissions containing script tags or JavaScript event handlers; disable the 'Store Submissions' setting in HT Contact Form if submission persistence is not operationally required, as the vulnerability only manifests when this setting is active; and apply egress filtering on admin-panel sessions to limit the reach of any injected script that does execute. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically once an upstream fix version is available.

See how HarborGuard automates this

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

htplugins / HT Contact Form – Drag & Drop Form Builder for WordPress
≤ 2.8.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References