CVE-2025-7341
Published: 15 July 2025
Summary
CVE-2025-7341 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the arbitrary file deletion flaw in the HT Contact Form plugin by updating to patched versions beyond 2.2.1.
Enforces validation of file path inputs to the temp_file_delete() function, directly countering the insufficient path validation that enables arbitrary deletions.
Mandates enforcement of access controls to block unauthenticated attackers from invoking the vulnerable file deletion endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin directly enables remote unauthenticated arbitrary file deletion (T1070.004) via exploitation of the web app (T1190).
NVD Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Deeper analysisAI
CVE-2025-7341 is an arbitrary file deletion vulnerability in the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress, affecting all versions up to and including 2.2.1. The issue arises from insufficient file path validation in the temp_file_delete() function, allowing attackers to target and remove any file on the server. Published on 2025-07-15, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By invoking the flawed function, they can delete arbitrary files, such as wp-config.php, potentially leading to remote code execution through site defacement, denial of service, or further compromise of the WordPress installation.
Advisories and references, including Wordfence's threat intelligence report, the plugin's source code in FileManager.php at line 107, and changeset 3326887 in Ajax.php, detail the vulnerability and associated patch, recommending updates to versions beyond 2.2.1 for mitigation.
Details
- CWE(s)