cleantalk
Vulnerabilities and Security Researches

Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks, CVE-2025-7360

CVE, Research URL

CVE-2025-7360

Home page URL

Security reports for Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Application

Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Published on
Jul 15, 2025
Research Description
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Affected versions
Min -, max 2.2.2.
Status
vulnerable
Previous vulnerability researches
BuddyForms Form Elements for WooCommerce (39d1f22f-ea34-4d94-9dc2-12661cf69d36) , Jun 07, 2024
New vulnerability
Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & (CVE-2025-50028) , Jul 19, 2025
Welcart e-Commerce (CVE-2025-54013) , Jul 19, 2025
CM Popup Plugin for WordPress – Popup Maker (CVE-2025-54018) , Jul 19, 2025
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce (CVE-2025-2800) , Jul 19, 2025
URL Shortener Plugin For WordPress (CVE-2025-28961) , Jul 19, 2025