Cyber Resilience

CVE-2025-7341

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0163 82.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7341 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to and including 2.2.1. This flaw is tracked as CVE-2025-7341 with a CVSS 3.1 score of 9.1 and is associated with CWE-269.

Unauthenticated attackers with network access can exploit the issue to delete arbitrary files on the server. Successful exploitation can readily result in remote code execution when critical files such as wp-config.php are removed.

References to the plugin source and Wordfence advisory point to the affected FileManager.php and Ajax.php components without detailing specific mitigation steps beyond the need for an update.

The associated EPSS score shows no material change, remaining flat at a peak and current value of 0.0163.

EU & UK References

Vulnerability details

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and…

more

including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vulnerability in public-facing WordPress plugin directly enables remote unauthenticated arbitrary file deletion (T1070.004) via exploitation of the web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7360Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2025-7340Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2024-12267Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin

Affected Assets

hasthemes
download contact form 7 widget for elementor page builder \& gutenberg blocks
≤ 2.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the arbitrary file deletion flaw in the HT Contact Form plugin by updating to patched versions beyond 2.2.1.

prevent

Enforces validation of file path inputs to the temp_file_delete() function, directly countering the insufficient path validation that enables arbitrary deletions.

prevent

Mandates enforcement of access controls to block unauthenticated attackers from invoking the vulnerable file deletion endpoint.

References