Cyber Resilience

CVE-2025-7360

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0266 86.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7360 is a critical-severity Path Traversal (CWE-22) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to and including 2.2.1. The flaw is tracked as CVE-2025-7360 with a CVSS 3.1 score of 9.1 and is classified under CWE-22.

Unauthenticated attackers can exploit the issue over the network to relocate arbitrary files on the server, which can readily result in remote code execution by targeting files such as wp-config.php.

The referenced WordPress plugin changeset and Wordfence threat intelligence entry indicate that a fix has been published in the plugin repository. The associated EPSS score remains flat at 0.0266 with no material increase after disclosure.

EU & UK References

Vulnerability details

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and…

more

including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing WordPress plugin enables unauthenticated remote file manipulation and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7341Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2025-7340Same product: Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CVE-2025-12493Same vendor: Hasthemes
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin

Affected Assets

hasthemes
download contact form 7 widget for elementor page builder \& gutenberg blocks
≤ 2.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient file path validation in the handle_files_upload function by requiring validation of path inputs to block path traversal and arbitrary file moves.

prevent

Ensures timely identification, reporting, and correction of flaws like this path traversal vulnerability in the WordPress plugin, preventing exploitation.

detect

Monitors for unauthorized changes to software and information, detecting arbitrary file movements such as targeting wp-config.php that lead to RCE.

References