Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-07-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion potentially leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

The HT Contact Form widget for Elementor and Gutenberg, a WordPress form builder, contains a flaw in the temp_file_delete() routine that fails to validate file paths. This flaw allows an attacker to specify any file path and delete that file from the server. Removing key configuration files, such as wp-config.php, can quickly lead to full remote code execution. The weakness is classified as improper authorization (CWE‑269).

Affected Systems

The vulnerability affects HT Contact Form – Drag & Drop Form Builder for WordPress, released by htplugins, all versions up to and including 2.2.1. Any site running one of those releases is susceptible.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation, and the issue is not yet listed in the CISA KEV catalog. Attackers can trigger the deletion by sending an unauthenticated AJAX request to the temp_file_delete endpoint, which does not require any authentication or elevated privileges. If a critical file is deleted, the attacker can achieve full control of the web application and possibly the underlying server.

Generated by OpenCVE AI on April 22, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HT Contact Form – Drag & Drop Form Builder for WordPress to any newer version.
  • If an upgrade is not immediately possible, disable or restrict the temp_file_delete AJAX action so that only authenticated administrators can invoke it.
  • Reconfigure file system permissions to prevent the web server process from deleting core WordPress files such as wp-config.php.
  • Implement monitoring and logging for file deletion events and set up alerts for unauthorized changes.

Generated by OpenCVE AI on April 22, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21415 The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Wed, 16 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CPEs cpe:2.3:a:hasthemes:download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00214}

Tue, 15 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:25.485Z

Reserved: 2025-07-07T20:52:52.019Z

Link: CVE-2025-7341

cve-icon Vulnrichment

Updated: 2025-07-15T13:35:20.668Z

cve-icon NVD

Status : Modified

Published: 2025-07-15T05:15:29.883

Modified: 2026-04-08T18:25:10.033

Link: CVE-2025-7341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses