CVE-2025-7360
📋 TL;DR
This vulnerability in the HT Contact Form WordPress plugin allows unauthenticated attackers to move arbitrary files on the server due to insufficient path validation. This can lead to remote code execution by moving critical files like wp-config.php. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution, allowing attackers to take over the WordPress installation, steal data, install backdoors, or deface the site.
Likely Case
Attackers move wp-config.php to a web-accessible location, extract database credentials, and gain administrative access to the WordPress site and database.
If Mitigated
If proper file permissions and web server configurations are in place, attackers may only be able to move non-critical files, limiting damage to denial of service or minor data exposure.
🎯 Exploit Status
The vulnerability requires no authentication and has a simple exploitation path. While no public PoC exists, the technical details are clear enough for attackers to develop exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'HT Contact Form' and check if version is 2.2.1 or lower. 4. Click 'Update Now' if available, or delete and reinstall from WordPress repository. 5. Verify plugin version is now 2.2.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the HT Contact Form plugin until patched
wp plugin deactivate ht-contactform
Restrict file permissions
linuxSet strict file permissions on wp-config.php and other critical files
chmod 400 wp-config.php
chown root:root wp-config.php
🧯 If You Can't Patch
- Immediately deactivate the HT Contact Form plugin via WordPress admin or command line
- Implement web application firewall rules to block requests to the vulnerable endpoint (/wp-json/ht-contactform/v1/submit)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for HT Contact Form version 2.2.1 or lowerCheck Version:
wp plugin get ht-contactform --field=versionVerify Fix Applied:
Confirm plugin version is 2.2.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/ht-contactform/v1/submit endpoint
- File modification events on wp-config.php or other critical files
- 404 errors for missing wp-config.php
Network Indicators:
- POST requests to contact form endpoints with file manipulation parameters
- Unusual file upload patterns to WordPress REST API endpoints
SIEM Query:
source="web_server" AND (uri_path="/wp-json/ht-contactform/v1/submit" OR file_path="wp-config.php") AND action="modify"🔗 References
- https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FApi%2FEndpoints%2FSubmission.php
- https://wordpress.org/plugins/ht-contactform/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve
