Request a Demo
Rewterz
Multiple Microsoft Products Vulnerabilities
July 16, 2025
Rewterz
Multiple Jenkins Plugins Vulnerabilities
July 16, 2025

Multiple WordPress Plugins Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2025-7360 CVSS:9.1

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

CVE-2025-7340 CVSS:9.8

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2025-7341 CVSS:9.1

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVE-2025-5394 CVSS:9.8

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

CVE-2025-5393 CVSS:9.1

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Impact

  • Code Execution

Indicators of Compromise

CVE

  • CVE-2025-7360

  • CVE-2025-7340

  • CVE-2025-7341

  • CVE-2025-5394

  • CVE-2025-5393

Affected Vendors

  • WordPress

Affected Products

  • HT Contact Form Widget For Elementor Page Builder and Gutenberg Blocks and Form Builder plugin for WordPress 2.2.1
  • Alone – Charity Multipurpose Non-profit WordPress Theme 7.8.3

Remediation

Refer to WordPress Website for patch, upgrade, or suggested workaround information.

CVE-2025-7360

CVE-2025-7340

CVE-2025-7341

CVE-2025-5394

CVE-2025-5393