WordPress Plugin Vulnerabilities

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. < 2.2.2 - Unauthenticated Arbitrary File Deletion

Description

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
ht-contactform
Fixed in 2.2.2

References

CVE
CVE-2025-7341
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
vgo0
Verified
No
WPVDB ID
d9c8a349-c36c-4aa0-b9fe-3110814a45cc

Timeline

Publicly Published
2025-07-14 (about 9 months ago)
Added
2025-07-14 (about 9 months ago)
Last Updated
2025-07-22 (about 9 months ago)

Other

Published
Title
Published
2025-10-21
Title
Academy LMS Pro < 3.3.8 - Unauthenticated Privilege Escalation via Social Login Addon
Published
2020-06-10
Title
Brizy - Page Builder < 1.0.126 - Improper Access Controls on AJAX Calls
Published
2023-05-22
Title
Leyka < 3.30.3 - Subscriber+ Privilege Escalation
Published
2024-06-03
Title
Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation
Published
2026-02-13
Title
Truelysell Core < 1.8.8 - Unauthenticated Privilege Escalation via Registration