Timothy Bautista

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 2.7.4 and prior to 2.9.3 **Description** The issue arises when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as `form.as p`. Any HTML tags used within a form field's help text will be rendered unescaped in the page, potentially allowing cross-site scripting attacks, including privilege escalation. This functionality should not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. **Recommendations** For versions prior to 2.7.4 and prior to 2.9.3, upgrade to Wagtail 2.7.4 or Wagtail 2.9.3, where help text will be escaped to prevent the inclusion of HTML tags. As a temporary workaround for site owners who are unable to upgrade to the new versions, secure form page templates by rendering forms field-by-field as per Django's documentation, but omitting the `|safe` filter when outputting the help text. Site owners who wish to re-enable the use of HTML within help text may set `WAGTAILFORMS HELP TEXT ALLOW HTML = True` in their configuration settings, accepting the risk of this being exploited by editors.