CVE-2025-7341
BaseFortify
Publication date: 2025-07-15
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hasthemes | download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks | to 2.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the HT Contact Form Widget for WordPress, where the temp_file_delete() function does not properly validate file paths. This allows unauthenticated attackers to delete arbitrary files on the server by exploiting insufficient file path validation. Deleting critical files like wp-config.php can lead to remote code execution, making the vulnerability severe.
How can this vulnerability impact me? :
The vulnerability can allow an attacker without authentication to delete any file on the server where the plugin is installed. This can lead to severe impacts such as remote code execution if critical files (e.g., wp-config.php) are deleted. This could compromise the entire website, leading to data loss, site defacement, or full server takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary file deletion via the temp_file_delete() function in the ht-contactform WordPress plugin. Detection can focus on monitoring HTTP requests to the AJAX endpoint handling file deletions, specifically requests invoking the 'ht_form_temp_file_delete' action. You can look for suspicious POST requests with the 'ht_form_file_id' parameter targeting this AJAX action. For example, using command-line tools to inspect web server logs or live traffic: 1) To search web server logs for suspicious deletion requests: grep 'ht_form_temp_file_delete' /path/to/access.log 2) To monitor live HTTP requests for this AJAX action (assuming access to the server): sudo tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'ht_form_temp_file_delete' 3) Using WP-CLI or custom scripts to check if the plugin version is <= 2.2.1, which is vulnerable. Since the vulnerability allows unauthenticated attackers to delete arbitrary files, any unexpected file deletion or errors related to missing critical files (like wp-config.php) should be investigated. However, no specific built-in commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update the ht-contactform plugin to a version later than 2.2.1 where the vulnerability is fixed. 2) If updating is not immediately possible, restrict access to the AJAX endpoints related to temporary file deletion (e.g., 'ht_form_temp_file_delete') by implementing firewall rules or web server access controls to block unauthenticated requests. 3) Monitor and audit file deletions in the WordPress upload directories, especially the 'ht_form/temp' directory. 4) Consider disabling or removing the ht-contactform plugin temporarily until a patch is applied. These steps help prevent unauthenticated arbitrary file deletion and reduce the risk of remote code execution. [1, 2]