CVE-2025-7340
Published: 15 July 2025
Summary
CVE-2025-7340 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs like file types in the temp_file_upload function to prevent arbitrary file uploads.
Mandates timely identification, reporting, and correction of flaws such as the unrestricted file upload vulnerability in the plugin up to version 2.2.1.
Deploys malicious code protection at system entry points to detect and eradicate potentially executable files uploaded via the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary unauthenticated file upload in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment of a web shell for RCE (T1505.003).
NVD Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2025-7340 is an arbitrary file upload vulnerability in the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress, affecting all versions up to and including 2.2.1. The flaw arises from missing file type validation in the temp_file_upload() function located in the admin/Includes/Services/FileManager.php component, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By leveraging the inadequate validation, they can upload arbitrary files to the affected WordPress site's server, which may lead to remote code execution depending on server configuration and file handling.
Mitigation details are available in referenced advisories, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/f0cb666b-bfab-492f-a74e-11dc9b171136?source=cve. The plugin's Trac repository documents the vulnerable code at line 86 of FileManager.php (https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L86) and a related changeset (https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Services/FileManager.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FServices%2FFileManager.php), suggesting patching via an updated plugin version.
Details
- CWE(s)