HT Contact Form Plugin (3 vulnerabilities) - CVE-2025-7340, CVE-2025-7360 and CVE-2025-7341
We have several new vulnerabilities in WP themes and plugins today, and the most prominent one on WordFence seems to be about the "HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder".
Three new vulnerabilities in this plugin became public today.
As their severity ranges from 9.1 to 9.8, saying that you should update this plugin immediately sounds redundant.
These are:
- Directory Traversal to Arbitrary File Move (9.1, CVE-2025-7360)
- Unauthenticated Arbitrary File Deletion (9.1, CVE-2025-7341)
- Unauthenticated Arbitrary File Upload (9.8, CVE-2025-7340)
So, the only things that anyone can do on your website are to upload any file, delete any file, or move any file.
If it sounds scary, it should be. The risk includes any WP website with a plugin version below and including 2.2.1, so you should install the latest one, 2.2.2.
According to the WordPress plugin directory, this plugin is installed on 10k+ websites.
If you're among those, update or seek professional help.