Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Published: 2025-07-15
Score: 9.1 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The HT Contact Form widget for Elementor and Gutenberg blocks contains a Directory Traversal flaw in its file upload handling that permits an unauthenticated attacker to move any file on the server. By specifying a crafted file path, an actor can overwrite critical files such as wp‑config.php, thereby enabling arbitrary code execution. The weakness is a classic directory traversal bug (CWE‑22).

Affected Systems

The vulnerability affects the HT Contact Form – Drag & Drop Form Builder plugin for WordPress, versions up to and including 2.2.1, running on a WordPress installation.

Risk and Exploitability

The CVSS score of 9.1 signals severe impact, and the EPSS score of 1% indicates that while exploitation is feasible, current threat data suggests a low but non‑zero probability of attack. The plugin’s upload endpoint is publicly accessible, so attackers need only craft a malicious request; no prior authentication is required. Because the flaw can overwrite arbitrary files, the potential for full system compromise is high, and the vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 20, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HT Contact Form plugin to the latest version that removes the file path validation flaw.
  • If an upgrade cannot be applied, restrict HTTP access to the upload endpoint (for example, by using WordPress role restrictions or .htaccess rules to allow only trusted users).
  • Modify the plugin source to enforce strict path validation, rejecting any filenames that contain traversal sequences or absolute paths, thereby eliminating the ability to move files.

Generated by OpenCVE AI on April 20, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21413 The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

Wed, 16 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
CPEs cpe:2.3:a:hasthemes:download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00215}

Tue, 15 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Title HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Hasthemes Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:59.680Z

Reserved: 2025-07-08T16:10:04.994Z

Link: CVE-2025-7360

cve-icon Vulnrichment

Updated: 2025-07-15T13:31:55.437Z

cve-icon NVD

Status : Modified

Published: 2025-07-15T05:15:30.070

Modified: 2026-04-08T19:24:31.930

Link: CVE-2025-7360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses