CVE-2025-7341
Published: 15 July 2025
Summary
CVE-2025-7341 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to and including 2.2.1. This flaw is tracked as CVE-2025-7341 with a CVSS 3.1 score of 9.1 and is associated with CWE-269.
Unauthenticated attackers with network access can exploit the issue to delete arbitrary files on the server. Successful exploitation can readily result in remote code execution when critical files such as wp-config.php are removed.
References to the plugin source and Wordfence advisory point to the affected FileManager.php and Ajax.php components without detailing specific mitigation steps beyond the need for an update.
The associated EPSS score shows no material change, remaining flat at a peak and current value of 0.0163.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21415
Vulnerability details
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin directly enables remote unauthenticated arbitrary file deletion (T1070.004) via exploitation of the web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the arbitrary file deletion flaw in the HT Contact Form plugin by updating to patched versions beyond 2.2.1.
Enforces validation of file path inputs to the temp_file_delete() function, directly countering the insufficient path validation that enables arbitrary deletions.
Mandates enforcement of access controls to block unauthenticated attackers from invoking the vulnerable file deletion endpoint.