CVE-2025-7360 Overview
CVE-2025-7360 is a critical arbitrary file moving vulnerability affecting the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress. The vulnerability exists due to insufficient file path validation in the handle_files_upload() function, allowing unauthenticated attackers to move arbitrary files on the server. This weakness can easily lead to remote code execution when critical files such as wp-config.php are moved to attacker-accessible locations.
Critical Impact
Unauthenticated attackers can move arbitrary files on WordPress servers, potentially leading to full site compromise and remote code execution by relocating sensitive configuration files.
Affected Products
- HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks versions up to and including 2.2.1
- WordPress installations using the vulnerable plugin versions
- Hasthemes Download Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks
Discovery Timeline
- 2025-07-15 - CVE-2025-7360 published to NVD
- 2025-07-16 - Last updated in NVD database
Technical Details for CVE-2025-7360
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), a weakness that occurs when software uses external input to construct a pathname that should be within a restricted directory, but fails to properly neutralize special elements that can cause the pathname to resolve to a location outside of that directory.
The vulnerable handle_files_upload() function within the plugin's Submission.php endpoint fails to adequately validate file paths before executing file move operations. Since no authentication is required to trigger this functionality, any remote attacker with network access to the WordPress installation can exploit this vulnerability.
The attack surface is particularly dangerous because WordPress sites typically store database credentials, authentication keys, and sensitive configuration data in the wp-config.php file. By moving this file to a publicly accessible location, attackers can extract credentials and gain complete control over the target WordPress installation and its database.
Root Cause
The root cause of CVE-2025-7360 lies in the lack of proper input sanitization and path canonicalization within the handle_files_upload() function located in admin/Includes/Api/Endpoints/Submission.php. The function accepts user-supplied file path parameters without validating that the resulting paths remain within the intended upload directory. This allows path traversal sequences to be processed, enabling attackers to reference files anywhere on the filesystem that the web server process has permissions to access.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction. An attacker can craft malicious requests to the vulnerable API endpoint, supplying path traversal sequences (such as ../) in the file path parameters. This allows them to specify source and destination paths outside the intended upload directory.
A successful attack typically follows this pattern: the attacker identifies a WordPress site running the vulnerable plugin version, crafts a request to the handle_files_upload() endpoint with manipulated file path parameters, and moves sensitive files like wp-config.php to a web-accessible location. Once moved, the attacker retrieves the configuration file to extract database credentials, then uses those credentials to compromise the database and potentially achieve remote code execution through methods such as inserting malicious administrator accounts or plugin code.
Detection Methods for CVE-2025-7360
Indicators of Compromise
- Unexpected file movements or missing critical configuration files such as wp-config.php
- Suspicious HTTP requests to /wp-content/plugins/ht-contactform/ endpoints containing path traversal patterns
- Anomalous web server access logs showing requests with ../ sequences targeting the plugin's API
- Database access from unexpected IP addresses or locations following potential credential theft
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal attempts containing ../ or encoded variants targeting the HT Contact Form plugin
- Implement file integrity monitoring (FIM) on critical WordPress files including wp-config.php, .htaccess, and core WordPress files
- Review web server access logs for unusual POST requests to the plugin's Submission endpoint
- Deploy WordPress security plugins capable of detecting unauthorized file system operations
Monitoring Recommendations
- Enable verbose logging on web servers and WordPress installations to capture detailed request information
- Configure alerts for file system changes in the WordPress root directory and critical subdirectories
- Monitor for new or modified files in web-accessible directories that could indicate relocated sensitive configurations
- Implement network monitoring to detect unusual outbound connections that may indicate data exfiltration post-compromise
How to Mitigate CVE-2025-7360
Immediate Actions Required
- Update the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks plugin to version 2.2.2 or later immediately
- Review file system for any signs of unauthorized file movements or missing configuration files
- Rotate all WordPress authentication keys and database credentials if compromise is suspected
- Audit web server access logs for evidence of exploitation attempts targeting the vulnerable endpoint
Patch Information
The vulnerability has been addressed in the plugin update. Organizations should apply the patch available through the WordPress Plugin Code Change which introduces proper file path validation to prevent path traversal attacks. Update the plugin through the WordPress admin dashboard or download the latest version from the WordPress Plugin Directory. For additional technical details, refer to the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the HT Contact Form Widget For Elementor Page Builder plugin until the patch can be applied
- Implement web application firewall rules to block requests containing path traversal sequences targeting the plugin
- Restrict access to the WordPress admin and plugin API endpoints using IP whitelisting where feasible
- Move sensitive configuration files outside the web root or implement additional server-level access controls
# Example: Disable the vulnerable plugin via WP-CLI
wp plugin deactivate ht-contactform --path=/var/www/html/wordpress
# Example: Block path traversal attempts in Apache .htaccess
# Add to WordPress root .htaccess file
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.\\) [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
