CVE-2025-7341 is a critical security vulnerability identified in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder WordPress plugin. The root cause is improper privilege management (CWE-269) due to insufficient validation of file paths in the temp_file_delete() function. This flaw allows unauthenticated attackers to invoke arbitrary file deletion on the hosting server. Because the function does not properly validate or sanitize the file path input, attackers can specify any file path, leading to deletion of critical files such as wp-config.php, which contains database credentials and configuration settings. Deletion of such files can disrupt website availability and enable remote code execution by facilitating further exploitation or site takeover. The vulnerability affects all plugin versions up to and including 2.2.1. The CVSS v3.1 base score is 9.1, reflecting the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). Although no public exploits are currently known, the vulnerability's characteristics make it highly exploitable. The plugin is widely used in WordPress environments globally, especially in regions with high WordPress market share. This vulnerability poses a significant risk to website integrity and availability, potentially leading to full site compromise if exploited.

The vulnerability allows unauthenticated attackers to delete arbitrary files on the web server hosting the vulnerable WordPress plugin. This can lead to severe consequences including denial of service by deleting critical files, disruption of website functionality, and potential remote code execution if attackers delete configuration files like wp-config.php. The loss of wp-config.php can expose database credentials or allow attackers to manipulate site configuration, facilitating further compromise. Organizations relying on this plugin face risks of website defacement, data loss, and service outages. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation. This can damage organizational reputation, cause financial losses, and impact customer trust. The vulnerability also poses risks to hosting providers and managed WordPress service providers who may host multiple affected sites, amplifying the potential impact.

1. Immediate mitigation involves restricting access to the vulnerable plugin's functionality by limiting permissions and disabling or removing the HT Contact Form Widget plugin if not essential. 2. Monitor web server and WordPress logs for suspicious file deletion attempts or unexpected errors related to file operations. 3. Implement web application firewall (WAF) rules to detect and block attempts to exploit the temp_file_delete() function by filtering suspicious HTTP requests targeting the plugin's endpoints. 4. Maintain regular backups of WordPress sites and critical configuration files to enable rapid restoration in case of file deletion. 5. Apply the vendor's patch or update the plugin to a fixed version as soon as it becomes available; if no patch is currently released, coordinate with the vendor for timelines or consider alternative plugins. 6. Harden the WordPress environment by enforcing least privilege principles on file system permissions, ensuring the web server user cannot delete critical files unnecessarily. 7. Educate site administrators about the risks and signs of exploitation to enable early detection and response. 8. Consider isolating WordPress instances in containerized or sandboxed environments to limit blast radius in case of compromise.