CVE-2025-7360
Published: 15 July 2025
Summary
CVE-2025-7360 is a critical-severity Path Traversal (CWE-22) vulnerability in Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in the handle_files_upload function by requiring validation of path inputs to block path traversal and arbitrary file moves.
Ensures timely identification, reporting, and correction of flaws like this path traversal vulnerability in the WordPress plugin, preventing exploitation.
Monitors for unauthorized changes to software and information, detecting arbitrary file movements such as targeting wp-config.php that lead to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables unauthenticated remote file manipulation and RCE.
NVD Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and…
more
including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Deeper analysisAI
CVE-2025-7360 is a high-severity vulnerability in the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress, affecting all versions up to and including 2.2.1. It stems from insufficient file path validation in the handle_files_upload() function, enabling arbitrary file moving on the server. Published on 2025-07-15, the issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-22 (Path Traversal).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed file handling, they can move arbitrary files on the server, potentially leading to remote code execution—for instance, by targeting critical files like wp-config.php to gain full control over the WordPress installation.
Advisories reference a patch in WordPress trac changeset 3326887 for the affected Submission.php file in the plugin's admin/Includes/Api/Endpoints directory. Additional details are available on the plugin's WordPress.org page and Wordfence threat intelligence page, recommending immediate updates to mitigate the risk.
Details
- CWE(s)