Plateforme
wordpress
Composant
ht-contactform
Corrigé dans
2.2.2
CVE-2025-7360 is a critical directory traversal vulnerability affecting the HT Contact Form WordPress plugin. This vulnerability allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.1, and a patch is available in version 2.2.2.
The core impact of CVE-2025-7360 lies in its potential for remote code execution. An attacker can exploit this vulnerability by manipulating file paths to move sensitive files, such as wp-config.php, to locations where they can be accessed or modified. Successful exploitation grants the attacker control over the WordPress installation, enabling them to execute arbitrary code, steal sensitive data (database credentials, user information), and potentially compromise the entire server. The ease of exploitation, combined with the plugin’s popularity, makes this a high-risk vulnerability.
CVE-2025-7360 was publicly disclosed on 2025-07-15. While no public proof-of-concept (PoC) has been released, the ease of exploitation and the potential for RCE suggest a medium probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Websites using the HT Contact Form plugin, particularly those running older, unpatched versions (0.0.0–2.2.1), are at significant risk. Shared hosting environments are especially vulnerable, as attackers can potentially compromise multiple websites through a single plugin vulnerability. Sites with weak file permission configurations are also at higher risk.
• wordpress / composer / npm:
grep -r "handle_files_upload()" /var/www/html/wp-content/plugins/ht-contact-form/• wordpress / composer / npm:
wp plugin list --status=all | grep "ht-contact-form"• wordpress / composer / npm:
wp plugin update ht-contact-form• wordpress / composer / npm:
wp plugin status ht-contact-form• wordpress / composer / npm:
wp plugin list --alldisclosure
patch
Statut de l'Exploit
EPSS
1.11% (percentile 78%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-7360 is to immediately upgrade the HT Contact Form plugin to version 2.2.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload permissions for unauthenticated users, implementing stricter file path validation within the plugin (if possible), and using a Web Application Firewall (WAF) to block suspicious file upload requests. Monitor WordPress logs for unusual file access patterns, particularly attempts to access or modify wp-config.php. After upgrading, verify the fix by attempting a file upload with a manipulated path to confirm that the vulnerability is no longer exploitable.
Mettez à jour le plugin HT Contact Form à la version 2.2.2 ou supérieure pour atténuer la vulnérabilité de traversal de répertoire. Cette mise à jour corrige le manque de validation appropriée du chemin d'accès au fichier, empêchant ainsi les attaquants de déplacer des fichiers arbitraires sur le serveur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-7360 is a critical vulnerability allowing attackers to move files on a WordPress server, potentially leading to remote code execution, affecting versions 0.0.0–2.2.1 of the HT Contact Form plugin.
You are affected if your WordPress site uses the HT Contact Form plugin and is running a version between 0.0.0 and 2.2.1. Check your plugin version immediately.
Upgrade the HT Contact Form plugin to version 2.2.2 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules and file permission restrictions.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a medium probability of active exploitation. Monitor your systems closely.
Refer to the official HT Contact Form plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-7360.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.