CVE-2025-7341
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Analysis
Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.
Technical Context
This vulnerability resides in the FileManager.php component of the HT Contact Form Widget plugin, specifically within the temp_file_delete() function called via Ajax.php. The flaw represents CWE-269 (Improper Privilege Management), where the function fails to validate user-supplied file paths before executing deletion operations. WordPress plugins running with web server privileges can access any file writable by the PHP process. By manipulating the file path parameter in an unauthenticated AJAX request, attackers can traverse directories and target critical WordPress core files like wp-config.php (containing database credentials and security keys) or .htaccess. Deleting wp-config.php forces WordPress into installation mode, allowing attackers to reconfigure the site with attacker-controlled database credentials, achieving remote code execution. The CPE identifier confirms this affects HasThemes' Download Contact Form 7 Widget for Elementor Page Builder & Gutenberg Blocks plugin across WordPress installations.
Affected Products
All versions of HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks (also marketed as Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks) up to and including version 2.2.1 for WordPress are vulnerable. The plugin is developed by HasThemes and distributed through the official WordPress plugin repository. The CPE designation cpe:2.3:a:hasthemes:download_contact_form_7_widget_for_elementor_page_builder_&_gutenberg_blocks applies to all affected versions running on any WordPress installation. The vulnerability exists in the admin/Includes/Services/FileManager.php and admin/Includes/Ajax.php components across all vulnerable releases.
Remediation
Update immediately to the patched version available via WordPress plugin repository following changeset 3326887 released in early May 2025. Administrators should access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate HT Contact Form Widget, and click Update Now. For sites with automatic updates enabled, verify the patch has been applied by checking that the version exceeds 2.2.1. If immediate updates are not feasible, temporarily deactivate the plugin until patching is complete. Review web server logs for suspicious AJAX requests to admin-ajax.php targeting the temp_file_delete function, specifically looking for path traversal patterns (../, absolute paths). Verify integrity of wp-config.php and other critical WordPress files. Consult the official vendor advisory and patch details at https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Ajax.php and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today