CVE-2025-7360
Published: 15 July 2025
Summary
CVE-2025-7360 is a critical-severity Path Traversal (CWE-22) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to and including 2.2.1. The flaw is tracked as CVE-2025-7360 with a CVSS 3.1 score of 9.1 and is classified under CWE-22.
Unauthenticated attackers can exploit the issue over the network to relocate arbitrary files on the server, which can readily result in remote code execution by targeting files such as wp-config.php.
The referenced WordPress plugin changeset and Wordfence threat intelligence entry indicate that a fix has been published in the plugin repository. The associated EPSS score remains flat at 0.0266 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21413
Vulnerability details
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables unauthenticated remote file manipulation and RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient file path validation in the handle_files_upload function by requiring validation of path inputs to block path traversal and arbitrary file moves.
Ensures timely identification, reporting, and correction of flaws like this path traversal vulnerability in the WordPress plugin, preventing exploitation.
Monitors for unauthorized changes to software and information, detecting arbitrary file movements such as targeting wp-config.php that lead to RCE.