August 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Microsoft Products Vulnerabilities
July 16, 2025Multiple Jenkins Plugins Vulnerabilities
July 16, 2025Multiple Microsoft Products Vulnerabilities
July 16, 2025Multiple Jenkins Plugins Vulnerabilities
July 16, 2025
Severity
Medium
Analysis Summary
CVE-2025-7360 CVSS:9.1
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
CVE-2025-7340 CVSS:9.8
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-7341 CVSS:9.1
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVE-2025-5394 CVSS:9.8
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
CVE-2025-5393 CVSS:9.1
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Impact
- Code Execution
Indicators of Compromise
CVE
CVE-2025-7360
CVE-2025-7340
CVE-2025-7341
CVE-2025-5394
CVE-2025-5393
Affected Vendors
- WordPress
Affected Products
- HT Contact Form Widget For Elementor Page Builder and Gutenberg Blocks and Form Builder plugin for WordPress 2.2.1
- Alone – Charity Multipurpose Non-profit WordPress Theme 7.8.3
Remediation
Refer to WordPress Website for patch, upgrade, or suggested workaround information.