CVE-2025-7360: 
WordPress vulnerability analysis and mitigation

CVE-2025-7360 affects the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress, discovered in July 2025. The vulnerability exists in all versions up to and including 2.2.1, where insufficient file path validation in the handlefilesupload() function allows unauthenticated attackers to move arbitrary files on the server (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NVD, and 9.1 CRITICAL from Wordfence. The issue stems from insufficient validation of file paths in the handlefilesupload() function, which can be exploited without authentication (NVD, Rapid7).

The vulnerability allows unauthenticated attackers to move arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are targeted. This gives attackers potential full control over the affected WordPress installation (NVD).

Users should immediately update to version 2.2.2 or later of the plugin, which includes improved file upload handling and fixes the file name sanitization issue. The patch was released on July 10, 2025 (WordPress Plugin).