What is CVE-2025-7340 and how does it work?

CVE-2025-7340 (CVSS score 9.8) affects the plugin's temp_file_upload() function due to missing file type validation in all versions up to 2.2.1. It allows unauthenticated attackers to upload arbitrary files, including executable PHP scripts, to publicly accessible directories, enabling direct access and execution of malicious code for complete remote code execution and full site compromise.

What is CVE-2025-7341 and what damage can it cause?

CVE-2025-7341 (CVSS score 9.8) enables arbitrary file deletion through the temp_file_delete() function. Attackers can exploit this flaw to delete critical system files, including the wp-config.php file, which places the WordPress site into setup mode and enables attackers to gain full control by pointing the installation to a new database under their control.

What is CVE-2025-7360 and its impact?

CVE-2025-7360 (CVSS score 9.8) enables arbitrary file movement capabilities through the handle_files_upload() function. It allows attackers to move critical system files to different locations, potentially triggering the same type of system compromise as file deletion, disrupting site functionality and enabling unauthorized access.

How many websites are affected by these HT Contact Form Widget vulnerabilities?

More than 10,000 websites using the HT Contact Form Widget plugin are potentially affected by these critical vulnerabilities. All sites running versions up to and including 2.2.1 are vulnerable to complete site takeover through unauthenticated attacks.

Who discovered the HT Contact Form Widget vulnerabilities?

The vulnerabilities were reported by security researchers vgo0 and Phat Ri via the Wordfence Bug Bounty Program. Their research identified the critical flaws that could lead to complete website compromise through unauthenticated attacks.

When were the patches released for HT Contact Form Widget?

Wordfence contacted plugin developer HasTech IT on July 8, 2025, and the development team released patches just five days later on July 13, 2025. This quick response demonstrates responsible vulnerability disclosure and rapid patch development.

What should WordPress administrators do about these vulnerabilities?

WordPress site administrators should immediately update the HT Contact Form Widget plugin to version 2.2.2 or later to protect against these critical vulnerabilities. They should also review their sites for signs of compromise and ensure all plugins are kept up to date.

Do these vulnerabilities require authentication to exploit?

No, all three vulnerabilities can be exploited through unauthenticated attacks, meaning attackers do not need to log into the WordPress site or have any user credentials to exploit these flaws. This makes them particularly dangerous as they can be exploited by anyone with access to the website.

What can attackers achieve with these HT Contact Form Widget vulnerabilities?

Attackers can achieve complete site takeover by exploiting these vulnerabilities. They can upload malicious PHP scripts for remote code execution, delete critical system files like wp-config.php to reset the site, or move files to disrupt functionality. All paths lead to full control of the affected WordPress website.

Why are these HT Contact Form Widget vulnerabilities considered critical?

All three vulnerabilities have CVSS scores of 9.8, indicating critical severity. They allow unauthenticated attackers to achieve complete site compromise through multiple attack vectors: arbitrary file upload, arbitrary file deletion, and arbitrary file movement. The combination of no authentication requirement and complete system compromise potential makes these extremely dangerous.

Advisory

Critical vulnerabilities reported in HT Contact Form Widget

Q: What are the critical vulnerabilities in HT Contact Form Widget?

A trio of critical security vulnerabilities has been discovered in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks WordPress plugin, exposing more than 10,000 websites to complete site takeover through unauthenticated attacks. All three vulnerabilities have CVSS scores of 9.8, indicating critical severity.

published: July 28, 2025

Take action: If you use the HT Contact Form Widget on your WordPress site, immediately update to version 2.2.2 or later. Updating these plugins is trivial, don't delay because hackers will find the unpatched versions.

Learn More

trio of critical security vulnerabilities has been discovered in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder WordPress plugin, exposing more than 10,000 websites to complete site takeover through unauthenticated attacks.

The vulnerabilities were reported by security researchers vgo0 and Phat Ri via the Wordfence Bug Bounty Program.

Vulnerabilities summary:

CVE-2025-7340 (CVSS score 9.8) - affects the plugin's temp_file_upload() function due to missing file type validation in all versions up to and including 2.2.1. It allows unauthenticated attackers to upload arbitrary files, including executable PHP scripts, to the affected site's server without any authentication requirements. The uploaded files are stored in publicly accessible directories, enabling direct access and execution of malicious code, which can lead to complete remote code execution and full site compromise.
CVE-2025-7341 (CVSS score 9.8) - enables arbitrary file deletion through the temp_file_delete() function. Attackers can exploit this flaw to delete critical system files, including the wp-config.php file, which places the WordPress site into setup mode and enables attackers to gain full control by pointing the installation to a new database under their control
CVE-2025-7360 (CVSS score 9.8) - enables arbitrary file movement capabilities through the handle_files_upload() function. It allows attackers to move critical system files to different locations. The file movement capability can trigger the same type of system compromise as file deletion, potentially disrupting site functionality and enabling unauthorized access.

The HT Contact Form Widget plugin, developed by HasTech IT, serves as a contact form solution for WordPress sites using Elementor Page Builder and Gutenberg Blocks.

Wordfence contacted plugin developer HasTech IT on July 8, 2025, and the development team released patches just five days later on July 13, 2025. WordPress site administrators should immediately update the HT Contact Form Widget plugin to version 2.2.2 or later.

Critical vulnerabilities reported in HT Contact Form Widget

Read More
Critical Vulnerability Reported in Advanced Custom Fields: Extended …
LiteSpeed Cache plugin has XSS vulnerability, 4M WordPress …
Critical unpatched flaws reported in premium WordPress real …
Craft CMS zero-Day vulnerabilities actively exploited
Critical vulnerability reported in AI Engine WordPress plugin