The HT Contact Form – Drag & Drop Form Builder for WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) via the 'file_upload' parameter. This vulnerability exists due to insufficient sanitization and escaping of user input before it is stored and later rendered using dangerouslySetInnerHTML in the admin interface. An unauthenticated attacker can exploit this if the 'Store Submissions' feature is enabled, injecting malicious scripts that execute when an administrator views the stored submissions. The vulnerability affects all plugin versions up to 2.8.2. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality and integrity.

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the WordPress admin interface, potentially leading to theft of administrative credentials or session tokens, and unauthorized actions within the admin panel. The impact is limited to confidentiality and integrity with no direct availability impact. This could compromise the security of the WordPress site and its data if exploited.

No official patch or remediation guidance is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable the 'Store Submissions' setting to prevent unsanitized data from being stored and rendered. Additionally, restrict access to the WordPress admin interface to trusted users only and monitor for suspicious activity related to form submissions.