PT-2025-29537 · WordPress · Ht Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.

Dale Mavers

Published

2025-07-15

Updated

2026-04-08

CVE-2025-7341

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder versions up to and including 2.2.1

Description The HT Contact Form Widget plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation within the temp file delete() function. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files, such as wp-config.php, are deleted.

Recommendations HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder versions prior to 2.2.1 should be updated.

Fix

RCE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2025-7341

Affected Products

Ht Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.

CVE-2025-7341

Weakness Enumeration

Related Identifiers

Affected Products

References · 14