CRITICAL: CVE-2025-7341 (CVSS 9.1) — hasthemes download contact form 7 widget for elementor page builder \& gutenberg blocks
CVE: CVE-2025-7341
CVSS: 9.1 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Severity: CRITICAL
Status: Critical advisory
Affected
- hasthemes download contact form 7 widget for elementor page builder \& gutenberg blocks
Summary
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Verified Sources
References
- https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L107
- https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Ajax.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FAjax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4?source=cve
_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NVD
- [2]GitHub Advisory
- [3]MITRE