Platform
wordpress
Component
ht-contactform
Fixed in
2.2.2
CVE-2025-7341 is an arbitrary file access vulnerability affecting the HT Contact Form – Drag & Drop Form Builder for WordPress plugin. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.1, and a patch is available in version 2.2.2.
The primary impact of CVE-2025-7341 is the ability for an unauthenticated attacker to delete files on the server. While the vulnerability is classified as arbitrary file access, the description explicitly states that deleting critical files like wp-config.php can lead to remote code execution. Successful exploitation would grant an attacker complete control over the WordPress installation, allowing them to modify content, install malicious plugins, steal sensitive data (database credentials, user information), and potentially pivot to other systems on the network. The ease of exploitation, combined with the plugin's popularity, makes this a high-risk vulnerability.
CVE-2025-7341 was publicly disclosed on 2025-07-15. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's simplicity and potential for RCE suggest a high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Exploit Status
EPSS
0.67% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-7341 is to immediately upgrade the HT Contact Form plugin to version 2.2.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting file access permissions on the server to limit the potential damage from file deletion. Web application firewalls (WAFs) configured to detect and block suspicious file deletion attempts targeting the plugin's endpoints could provide an additional layer of defense. Monitor WordPress logs for unusual file deletion activity.
Update the HT Contact Form plugin to version 2.2.2 or higher to mitigate the arbitrary file deletion vulnerability. This update corrects the inadequate file path validation, preventing unauthenticated attackers from deleting sensitive files on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7341 is a CRITICAL vulnerability in the HT Contact Form WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if you are using HT Contact Form versions 0.0.0 through 2.2.1. Check your plugin version immediately.
Upgrade the HT Contact Form plugin to version 2.2.2 or later to address the vulnerability. If immediate upgrade is not possible, implement temporary file access restrictions.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official HT Contact Form website and WordPress plugin repository for updates and advisories related to CVE-2025-7341.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.