Skip to main content

PHP CVE-2025-7341

CRITICAL
Improper Privilege Management (CWE-269)
2025-07-15 security@wordfence.com
WordPress Privilege Escalation RCE PHP Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Elementor
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
Patch released
Apr 08, 2026 - 18:38 nvd
Patch available
CVE Published
Jul 15, 2025 - 05:15 nvd
CRITICAL 9.1

DescriptionCVE.org

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

AnalysisAI

Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.

Technical ContextAI

This vulnerability resides in the FileManager.php component of the HT Contact Form Widget plugin, specifically within the temp_file_delete() function called via Ajax.php. The flaw represents CWE-269 (Improper Privilege Management), where the function fails to validate user-supplied file paths before executing deletion operations. WordPress plugins running with web server privileges can access any file writable by the PHP process. By manipulating the file path parameter in an unauthenticated AJAX request, attackers can traverse directories and target critical WordPress core files like wp-config.php (containing database credentials and security keys) or .htaccess. Deleting wp-config.php forces WordPress into installation mode, allowing attackers to reconfigure the site with attacker-controlled database credentials, achieving remote code execution. The CPE identifier confirms this affects HasThemes' Download Contact Form 7 Widget for Elementor Page Builder & Gutenberg Blocks plugin across WordPress installations.

RemediationAI

Update immediately to the patched version available via WordPress plugin repository following changeset 3326887 released in early May 2025. Administrators should access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate HT Contact Form Widget, and click Update Now. For sites with automatic updates enabled, verify the patch has been applied by checking that the version exceeds 2.2.1. If immediate updates are not feasible, temporarily deactivate the plugin until patching is complete. Review web server logs for suspicious AJAX requests to admin-ajax.php targeting the temp_file_delete function, specifically looking for path traversal patterns (../, absolute paths). Verify integrity of wp-config.php and other critical WordPress files. Consult the official vendor advisory and patch details at https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Ajax.php and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2025-7341 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy