CVE-2025-7360

Published: Jul 15, 2025Modified: Apr 8, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

Affected (1)

Products: Hasthemes: Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

1 product

Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hasthemes Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks	Before 2.2.2

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (3)

https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FApi%2FEndpoints%2FSubmission.php

Source: security@wordfence.com

Patch

https://wordpress.org/plugins/ht-contactform/

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.