PT-2025-29532 · WordPress · Ht Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Dale Mavers
+1
·
Published
2025-07-14
·
Updated
2025-09-29
·
CVE-2025-7340
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. versions up to and including 2.2.1
Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the
temp file upload function. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. Approximately 500 potentially vulnerable instances of the plugin have been identified. Attackers are observed exploiting the vulnerability through POST requests to /wp-admin/admin-ajax.php with malicious files and GET requests attempting to move or delete system files, such as wp-config.php.Recommendations
Update the plugin to a version greater than 2.2.1.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ht Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.