GCVE - cpe:2.3:a:htplugins:ht_contact_form_–_drag_&_drop_form_builder_for

Approved changes feed: RSS · Atom

cpe:2.3:a:htplugins:ht_contact_form_–_drag_&_drop_form_builder_for_wordpress:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Htplugins (`40f27a31-3999-57f1-b8a0-8bc6fd59159e`)
Product	Ht Contact Form – Drag & Drop Form Builder For Wordpress (`e0df420f-b994-5ba4-959c-6acebbb11a9d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-7052`	vulnerable	2026-06-08 08:07:05.321761	HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field HIGH (7.2) The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer. Published: 2026-05-28T06:45:43.237Z Updated: 2026-05-28T10:33:10.091Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/edb0ee0c-1eab-4988-9eb6-cc0c253fee15?source=cve https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php#L403 https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Api/Endpoints/Submission.php#L403 https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Models/Entries.php#L298 https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Models/Entries.php#L298	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-7360`	vulnerable	2026-06-08 07:43:18.382843	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move CRITICAL (9.1) The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). Published: 2025-07-15T04:23:41.923Z Updated: 2026-04-08T17:27:59.680Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve https://wordpress.org/plugins/ht-contactform/ https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FApi%2FEndpoints%2FSubmission.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-7341`	vulnerable	2026-06-08 07:43:18.354346	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion CRITICAL (9.1) The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Published: 2025-07-15T04:23:40.839Z Updated: 2026-04-08T16:45:25.485Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4?source=cve https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L107 https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Ajax.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FAjax.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-7340`	vulnerable	2026-06-08 07:43:18.352166	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload CRITICAL (9.8) The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Published: 2025-07-15T04:23:42.345Z Updated: 2026-04-08T17:32:19.145Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/f0cb666b-bfab-492f-a74e-11dc9b171136?source=cve https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L86 https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Services/FileManager.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FServices%2FFileManager.php	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Ht Contact Form – Drag & Drop Form Builder For Wordpress

PURL mappings

Vulnerability references

Contribute