Plataforma
wordpress
Componente
ht-contactform
Corrigido em
2.2.2
CVE-2025-7360 is a critical directory traversal vulnerability affecting the HT Contact Form WordPress plugin. This vulnerability allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.1, and a patch is available in version 2.2.2.
The core impact of CVE-2025-7360 lies in its potential for remote code execution. An attacker can exploit this vulnerability by manipulating file paths to move sensitive files, such as wp-config.php, to locations where they can be accessed or modified. Successful exploitation grants the attacker control over the WordPress installation, enabling them to execute arbitrary code, steal sensitive data (database credentials, user information), and potentially compromise the entire server. The ease of exploitation, combined with the plugin’s popularity, makes this a high-risk vulnerability.
CVE-2025-7360 was publicly disclosed on 2025-07-15. While no public proof-of-concept (PoC) has been released, the ease of exploitation and the potential for RCE suggest a medium probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Websites using the HT Contact Form plugin, particularly those running older, unpatched versions (0.0.0–2.2.1), are at significant risk. Shared hosting environments are especially vulnerable, as attackers can potentially compromise multiple websites through a single plugin vulnerability. Sites with weak file permission configurations are also at higher risk.
• wordpress / composer / npm:
grep -r "handle_files_upload()" /var/www/html/wp-content/plugins/ht-contact-form/• wordpress / composer / npm:
wp plugin list --status=all | grep "ht-contact-form"• wordpress / composer / npm:
wp plugin update ht-contact-form• wordpress / composer / npm:
wp plugin status ht-contact-form• wordpress / composer / npm:
wp plugin list --alldisclosure
patch
Status do Exploit
EPSS
1.11% (percentil 78%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-7360 is to immediately upgrade the HT Contact Form plugin to version 2.2.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload permissions for unauthenticated users, implementing stricter file path validation within the plugin (if possible), and using a Web Application Firewall (WAF) to block suspicious file upload requests. Monitor WordPress logs for unusual file access patterns, particularly attempts to access or modify wp-config.php. After upgrading, verify the fix by attempting a file upload with a manipulated path to confirm that the vulnerability is no longer exploitable.
Atualize o plugin HT Contact Form para a versão 2.2.2 ou superior para mitigar a vulnerabilidade de transposição de diretório. Esta atualização corrige a falta de validação adequada da rota do arquivo, prevenindo que atacantes possam mover arquivos arbitrários no servidor.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-7360 is a critical vulnerability allowing attackers to move files on a WordPress server, potentially leading to remote code execution, affecting versions 0.0.0–2.2.1 of the HT Contact Form plugin.
You are affected if your WordPress site uses the HT Contact Form plugin and is running a version between 0.0.0 and 2.2.1. Check your plugin version immediately.
Upgrade the HT Contact Form plugin to version 2.2.2 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules and file permission restrictions.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a medium probability of active exploitation. Monitor your systems closely.
Refer to the official HT Contact Form plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-7360.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.