Cyber Resilience

CVE-2025-7340

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0197 83.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7340 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function. The flaw affects all versions through 2.2.1 and is tracked as CWE-434, carrying a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the issue over the network to upload arbitrary files to the server, which may enable remote code execution on the affected site.

Public references point to the vulnerable code in the plugin's FileManager.php and a subsequent changeset that addresses the upload handling; the Wordfence advisory entry for this CVE recommends applying the available plugin update to remediate the weakness.

EPSS remains flat at 0.0197 with no material increase after disclosure.

EU & UK References

Vulnerability details

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and…

more

including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary unauthenticated file upload in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment of a web shell for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7360Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2025-7341Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2024-13342Same product class: WordPress / CMS plugin
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434

Affected Assets

hasthemes
download contact form 7 widget for elementor page builder \& gutenberg blocks
≤ 2.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs like file types in the temp_file_upload function to prevent arbitrary file uploads.

prevent

Mandates timely identification, reporting, and correction of flaws such as the unrestricted file upload vulnerability in the plugin up to version 2.2.1.

preventdetect

Deploys malicious code protection at system entry points to detect and eradicate potentially executable files uploaded via the vulnerability.

References