Plattform
wordpress
Komponente
ht-contactform
Behoben in
2.2.2
CVE-2025-7360 is a critical directory traversal vulnerability affecting the HT Contact Form WordPress plugin. This vulnerability allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.1, and a patch is available in version 2.2.2.
The core impact of CVE-2025-7360 lies in its potential for remote code execution. An attacker can exploit this vulnerability by manipulating file paths to move sensitive files, such as wp-config.php, to locations where they can be accessed or modified. Successful exploitation grants the attacker control over the WordPress installation, enabling them to execute arbitrary code, steal sensitive data (database credentials, user information), and potentially compromise the entire server. The ease of exploitation, combined with the plugin’s popularity, makes this a high-risk vulnerability.
CVE-2025-7360 was publicly disclosed on 2025-07-15. While no public proof-of-concept (PoC) has been released, the ease of exploitation and the potential for RCE suggest a medium probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Websites using the HT Contact Form plugin, particularly those running older, unpatched versions (0.0.0–2.2.1), are at significant risk. Shared hosting environments are especially vulnerable, as attackers can potentially compromise multiple websites through a single plugin vulnerability. Sites with weak file permission configurations are also at higher risk.
• wordpress / composer / npm:
grep -r "handle_files_upload()" /var/www/html/wp-content/plugins/ht-contact-form/• wordpress / composer / npm:
wp plugin list --status=all | grep "ht-contact-form"• wordpress / composer / npm:
wp plugin update ht-contact-form• wordpress / composer / npm:
wp plugin status ht-contact-form• wordpress / composer / npm:
wp plugin list --alldisclosure
patch
Exploit-Status
EPSS
1.11% (78% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-7360 is to immediately upgrade the HT Contact Form plugin to version 2.2.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload permissions for unauthenticated users, implementing stricter file path validation within the plugin (if possible), and using a Web Application Firewall (WAF) to block suspicious file upload requests. Monitor WordPress logs for unusual file access patterns, particularly attempts to access or modify wp-config.php. After upgrading, verify the fix by attempting a file upload with a manipulated path to confirm that the vulnerability is no longer exploitable.
Actualice el plugin HT Contact Form a la versión 2.2.2 o superior para mitigar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la falta de validación adecuada de la ruta del archivo, previniendo que atacantes puedan mover archivos arbitrarios en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-7360 is a critical vulnerability allowing attackers to move files on a WordPress server, potentially leading to remote code execution, affecting versions 0.0.0–2.2.1 of the HT Contact Form plugin.
You are affected if your WordPress site uses the HT Contact Form plugin and is running a version between 0.0.0 and 2.2.1. Check your plugin version immediately.
Upgrade the HT Contact Form plugin to version 2.2.2 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules and file permission restrictions.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a medium probability of active exploitation. Monitor your systems closely.
Refer to the official HT Contact Form plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-7360.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.