When a form page type is made available to Wagtail editors through the
wagtail.contrib.forms app, and the page template is built using
Django's standard form rendering helpers such as form.as_p (as directed
in the documentation), any HTML tags used within a form field's help
text will be rendered unescaped in the page. Allowing HTML within help
text is an intentional design decision by Django; however, as a matter
of policy Wagtail does not allow editors to insert arbitrary HTML by
default, as this could potentially be used to carry out cross-site
scripting attacks, including privilege escalation. This functionality
should therefore not have been made available to editor-level users.
The vulnerability is not exploitable by an ordinary site visitor
without access to the Wagtail admin.