CVE-2025-7340
Published: 15 July 2025
Summary
CVE-2025-7340 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function. The flaw affects all versions through 2.2.1 and is tracked as CWE-434, carrying a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the issue over the network to upload arbitrary files to the server, which may enable remote code execution on the affected site.
Public references point to the vulnerable code in the plugin's FileManager.php and a subsequent changeset that addresses the upload handling; the Wordfence advisory entry for this CVE recommends applying the available plugin update to remediate the weakness.
EPSS remains flat at 0.0197 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21412
Vulnerability details
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary unauthenticated file upload in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment of a web shell for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs like file types in the temp_file_upload function to prevent arbitrary file uploads.
Mandates timely identification, reporting, and correction of flaws such as the unrestricted file upload vulnerability in the plugin up to version 2.2.1.
Deploys malicious code protection at system entry points to detect and eradicate potentially executable files uploaded via the vulnerability.