{"id":1611,"date":"2025-07-28T20:55:26","date_gmt":"2025-07-28T20:55:26","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/07\/28\/critical-flaws-in-wordpress-plugin-leave-10000-sites-vulnerable\/"},"modified":"2025-07-28T20:55:26","modified_gmt":"2025-07-28T20:55:26","slug":"critical-flaws-in-wordpress-plugin-leave-10000-sites-vulnerable","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/28\/critical-flaws-in-wordpress-plugin-leave-10000-sites-vulnerable\/","title":{"rendered":"Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable"},"content":{"rendered":"
\n

More than 10,000 WordPress sites have been left vulnerable to full site takeover due to three critical security flaws discovered in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder<\/em> plugin.<\/p>\n

The vulnerabilities, which include Arbitrary File Upload, Arbitrary File Deletion and Arbitrary File Move, allowed unauthenticated attackers to execute malicious code, delete essential files or move them to new locations.\u00a0<\/p>\n

According to a new advisory by Wordfence, all three issues made remote code execution and full site compromise possible.<\/p>\n

Flaws Could Allow Complete Site Takeover<\/strong><\/h3>\n

The most severe of the three, CVE-2025-7340, carried a CVSS score of 9.8. It allowed attackers to upload any file type (including executable PHP scripts) due to a lack of validation in the plugin’s temp_file_upload() function. These files were stored in public directories, enabling direct access and execution.<\/p>\n

The second flaw, CVE-2025-7341, allowed arbitrary file deletion via the temp_file_delete() function. Attackers could delete the wp-config.php file, placing the site into setup mode and enabling full control if pointed to a new database.<\/p>\n

A third vulnerability, CVE-2025-7360, involved arbitrary file moving using the handle_files_upload() function. This function failed to sanitize file names properly, letting attackers move critical files and trigger the same kind of compromise as deletion.<\/p>\n

Read more on WordPress plugin security risks: Vulnerability in Chaty Pro Plugin Exposes 18,000 WordPress Sites<\/em><\/p>\n

Recommended Action for Site Owners<\/strong><\/h3>\n

The issues were disclosed to Wordfence through its bug bounty program by researchers vgo0 and Phat RiO. Wordfence contacted plugin developer HasTech IT on July 8. A patch was released just five days later, on July 13.<\/p>\n

“We encourage WordPress users to verify that their sites are updated to the latest patched version of HT Contact Form as soon as possible considering the critical nature of these vulnerabilities,” Wordfence said.<\/p>\n

To stay protected, the company also advised users to:<\/p>\n