Threat actors could hijack over 10,000 WordPress sites using the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder plugin impacted by a trio of critical vulnerabilities, which could enable remote code execution, according to Infosecurity Magazine.
Most significant of the flaws is the arbitrary file upload bug, tracked as CVE-2025-7340 which stems from inadequate temp_file_upload() function validation while the arbitrary file deletion issue, tracked as CVE-2025-7341, could facilitate complete site control, an advisory from Wordfence stated. Total control is also possible with the arbitrary file move vulnerability, tracked as CVE-2025-7360. Owners and admins of WordPress sites leveraging the vulnerable plugin have been urged to not only immediately implement the patches issued earlier this month but also ensure up-to-date plugins and themes while tapping security products with directory traversal and file upload defenses. Wordfence also called on site admins to disseminate the advisory to other users of the plugin.
Most significant of the flaws is the arbitrary file upload bug, tracked as CVE-2025-7340 which stems from inadequate temp_file_upload() function validation while the arbitrary file deletion issue, tracked as CVE-2025-7341, could facilitate complete site control, an advisory from Wordfence stated. Total control is also possible with the arbitrary file move vulnerability, tracked as CVE-2025-7360. Owners and admins of WordPress sites leveraging the vulnerable plugin have been urged to not only immediately implement the patches issued earlier this month but also ensure up-to-date plugins and themes while tapping security products with directory traversal and file upload defenses. Wordfence also called on site admins to disseminate the advisory to other users of the plugin.
