What is the CVSS score of CVE-2025-7360?

CVE-2025-7360 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 1.3%.

Which versions of PHP are affected by CVE-2025-7360?

CVE-2025-7360 is a critical vulnerability in the HT Contact Form Widget plugin (versions ≤2.2.1) that permits unauthenticated attackers to move arbitrary server files, including WordPress…. A patch is available.

How to fix or mitigate CVE-2025-7360?

Within 24 hours: Identify all WordPress instances running HT Contact Form Widget plugin and confirm current version via admin dashboard or WP-CLI command 'wp plugin list'. Within 7 days: Update plugin to version 2.2.2 or later (vendor-released patch available) across all installations; verify update completion and test contact form functionality. Within 30 days: Review server file access logs for suspicious file movement activity dated prior to patching; audit wp-config.php file integrity and reset all WordPress database credentials and security keys as precaution.

PHP CVE-2025-7360

CRITICAL

Path Traversal (CWE-22)

2025-07-15 security@wordfence.com

Path Traversal WordPress RCE PHP Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Elementor

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 19:39 vuln.today

Patch released

Apr 08, 2026 - 19:39 nvd

Patch available

CVE Published

Jul 15, 2025 - 05:15 nvd

CRITICAL 9.1

DescriptionCVE.org

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

AnalysisAI

Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.

Technical ContextAI

CWE-22 path traversal in handle_files_upload() permits unrestricted file relocation operations without directory boundary enforcement. Unauthenticated access (PR:N) to file handling endpoint enables attackers to manipulate critical WordPress configuration files or overwrite executable PHP files by moving arbitrary source paths to attacker-controlled destinations.

RemediationAI

Upstream fix available via WordPress plugin repository changeset 3326887; released patched version not independently confirmed at time of analysis. Immediately update plugin through WordPress admin dashboard or manually download latest version from https://wordpress.org/plugins/ht-contactform/. If immediate patching is not feasible, deactivate plugin until update is applied. Review server file integrity for unauthorized modifications to wp-config.php and PHP files in wp-content directories. Vendor advisory and technical details available at https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve and patch commit at https://plugins.trac.wordpress.org/changeset/3326887/

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2025-7360 vulnerability details – vuln.today

Back

PHP CVE-2025-7360

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code