More than 10,000 WordPress websites were vulnerable to complete compromise due to three severe security flaws discovered in the “HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder” plugin.
Security firm Wordfence detailed the vulnerabilities in a new advisory. All three flaws, exploitable by unauthenticated attackers, could lead to full site takeover:
1. Arbitrary File Upload (CVE-2025-7340, CVSS 9.8): The plugin’s temp_file_upload() function lacked file type validation. Attackers could upload any file, including executable PHP scripts, to public directories for direct access and execution.
2. Arbitrary File Deletion (CVE-2025-7341): Exploiting the temp_file_delete() function, attackers could delete critical files like wp-config.php. This would force the site into setup mode, enabling attacker control if pointed to a new database.
3. Arbitrary File Move (CVE-2025-7360): The handle_files_upload() function failed to properly sanitize file names, allowing attackers to move essential files. This could trigger the same level of compromise as file deletion.
Researchers vgo0 and Phat RiO reported the flaws to Wordfence through its bug bounty program. Wordfence notified plugin developer HasTech IT on July 8, 2025. A patched version was released on July 13, 2025.
To mitigate such risks, WordPress site owners should:
- Update the HT Contact Form plugin immediately.
- Keep all plugins and themes updated.
- Apply vendor security patches promptly.
- Use a security solution offering file upload and directory traversal protections.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
