Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-15
Score: 9.8 Critical
EPSS: 2.0% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The plugin processes file uploads without restricting MIME types, a flaw catalogued as CWE‑434. Unauthenticated users can upload any file to the server. If a malicious script is placed in a web‑accessible directory, it can be executed, giving the attacker full control over the affected WordPress installation and compromising all aspects of the site.

Affected Systems

The vulnerability applies to the htplugins HT Contact Form – Drag & Drop Form Builder for WordPress plugin, versions up to and including 2.2.1. Sites using this plugin in those releases are at risk.

Risk and Exploitability

With a CVSS score of 9.8 the weakness is considered critical. The EPSS score is below 1 % and the vulnerability is not listed in CISA KEV, suggesting a very low current exploitation rate. Nevertheless, the attack path is simple: an unauthenticated attacker posts a file to the plugin’s upload endpoint, and if the server executes the file, remote code execution follows. No additional access or configuration is required beyond the upload action.

Generated by OpenCVE AI on April 20, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade the HT Contact Form plugin to a version newer than 2.2.1, which restores proper MIME type validation.
  • If an upgrade cannot be performed immediately, disable or restrict the file‑upload feature in the plugin’s settings, allowing only non‑executable extensions such as .jpg or .txt.
  • Add a Web Application Firewall rule or .htaccess directives to block execution of files in the plugin’s upload directory, ensuring that even if a file is uploaded it is served as a download, not a script.

Generated by OpenCVE AI on April 20, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21412 The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Wed, 16 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CPEs cpe:2.3:a:hasthemes:download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00128}

Tue, 15 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:19.145Z

Reserved: 2025-07-07T20:29:32.034Z

Link: CVE-2025-7340

cve-icon Vulnrichment

Updated: 2025-07-15T13:30:57.700Z

cve-icon NVD

Status : Modified

Published: 2025-07-15T05:15:28.520

Modified: 2026-04-08T19:24:31.693

Link: CVE-2025-7340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses