CVE-2025-7360
BaseFortify
Publication date: 2025-07-15
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hasthemes | download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks | to 2.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7360 is a vulnerability in the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder WordPress plugin. The issue arises from insufficient validation of file paths in the handle_files_upload() function, allowing unauthenticated attackers to move arbitrary files on the server. This can lead to serious consequences such as remote code execution if critical files like wp-config.php are moved or manipulated. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to move arbitrary files on your server without authentication. This can lead to remote code execution, meaning attackers could run malicious code on your server, potentially compromising your entire website, stealing data, or causing service disruptions. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the vulnerable HT Contact Form Widget plugin version (up to 2.2.1) is installed on your WordPress site and monitoring for suspicious file move or upload activities. Since the vulnerability allows unauthenticated arbitrary file moving via the handle_files_upload() function, you can check the plugin version by running the following WP-CLI command: `wp plugin list --format=json | jq '.[] | select(.name=="ht-contactform") | {name,version,status}'` to verify if the installed version is vulnerable (<= 2.2.1). Additionally, monitoring web server logs for unusual POST requests to the plugin's REST API endpoint `/wp-json/ht-form/v1/submission` or unexpected file modifications (e.g., wp-config.php) can help detect exploitation attempts. You can use commands like `grep 'wp-json/ht-form/v1/submission' /var/log/apache2/access.log` or equivalent for your web server logs. Also, scanning for recently modified critical files with `find /path/to/wordpress -type f -name 'wp-config.php' -mtime -7` (to find files modified in the last 7 days) may indicate compromise. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the HT Contact Form Widget plugin to version 2.2.2 or later, as this version includes fixes for file upload handling by adding file type validation and file name sanitization, which prevent arbitrary file moving exploits. If updating immediately is not possible, consider disabling the plugin temporarily to block the vulnerable functionality. Additionally, implement web application firewall (WAF) rules to block unauthorized POST requests to the plugin's REST API endpoint `/wp-json/ht-form/v1/submission`. Ensure that file permissions on your server prevent unauthorized file modifications, and monitor logs for suspicious activity. Finally, review and harden your WordPress security settings, including limiting plugin access and enabling security plugins that detect anomalous file changes. [1]