CVE-2025-7360

CRITICAL
2025-07-15 [email protected]
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 19:39 vuln.today
Patch Released
Apr 08, 2026 - 19:39 nvd
Patch available
CVE Published
Jul 15, 2025 - 05:15 nvd
CRITICAL 9.1

Tags

Path Traversal WordPress RCE PHP Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks

Description

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

Analysis

Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.

Technical Context

CWE-22 path traversal in handle_files_upload() permits unrestricted file relocation operations without directory boundary enforcement. Unauthenticated access (PR:N) to file handling endpoint enables attackers to manipulate critical WordPress configuration files or overwrite executable PHP files by moving arbitrary source paths to attacker-controlled destinations.

Affected Products

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks (WordPress plugin), vendor HasThemes, versions ≤2.2.1. CPE: cpe:2.3:a:hasthemes:download_contact_form_7_widget_for_elementor_page_builder_&_gutenberg_blocks:*:*:*:*:*:wordpress:*:*

Remediation

Upstream fix available via WordPress plugin repository changeset 3326887; released patched version not independently confirmed at time of analysis. Immediately update plugin through WordPress admin dashboard or manually download latest version from https://wordpress.org/plugins/ht-contactform/. If immediate patching is not feasible, deactivate plugin until update is applied. Review server file integrity for unauthorized modifications to wp-config.php and PHP files in wp-content directories. Vendor advisory and technical details available at https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve and patch commit at https://plugins.trac.wordpress.org/changeset/3326887/

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +1.3
CVSS: +46
POC: 0

Share

CVE-2025-7360 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy