Multiple Microsoft Products Vulnerabilities

July 16, 2025

Multiple Jenkins Plugins Vulnerabilities

July 16, 2025

Multiple WordPress Plugins Vulnerabilities

July 16, 2025

Severity

Medium

Analysis Summary

CVE-2025-7360 CVSS:9.1

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

CVE-2025-7340 CVSS:9.8

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2025-7341 CVSS:9.1

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVE-2025-5394 CVSS:9.8

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

CVE-2025-5393 CVSS:9.1

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Impact

Code Execution

Indicators of Compromise

CVE

CVE-2025-7360
CVE-2025-7340
CVE-2025-7341
CVE-2025-5394
CVE-2025-5393

Affected Vendors

WordPress

Affected Products

HT Contact Form Widget For Elementor Page Builder and Gutenberg Blocks and Form Builder plugin for WordPress 2.2.1
Alone – Charity Multipurpose Non-profit WordPress Theme 7.8.3

Remediation

Refer to WordPress Website for patch, upgrade, or suggested workaround information.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Ivanti Product Flaws Allow DoS Attacks

Critical Security Advisory: Heightened Alert Urged for Potential Cyberattacks Targeting Pakistan on Independence Day

Charon Ransomware Uses DLL Sideloading and Anti-EDR Tactics – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Multiple Microsoft Products Vulnerabilities

Multiple Jenkins Plugins Vulnerabilities

Severity

Medium

Analysis Summary

Indicators of Compromise

CVE

Affected Vendors

Affected Products

Remediation