CVE-2025-7360 is a critical security vulnerability identified in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder WordPress plugin, affecting all versions up to and including 2.2.1. The vulnerability is classified as CWE-22, which corresponds to an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. This vulnerability arises due to insufficient validation of file paths in the handle_files_upload() function. Specifically, the plugin fails to properly sanitize or restrict file paths when handling uploaded files, allowing an unauthenticated attacker to move arbitrary files anywhere on the server's filesystem. This capability can be exploited to move sensitive files such as wp-config.php, which contains critical configuration data including database credentials and authentication keys. By relocating or overwriting such files, an attacker can achieve remote code execution (RCE), effectively gaining full control over the affected WordPress site. The vulnerability is remotely exploitable without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS v3.1 base score of 9.1 reflects the critical severity, with high impact on integrity and availability, though confidentiality impact is rated none due to the nature of the exploit focusing on file manipulation rather than direct data disclosure. No patches or fixes are currently linked, and no known exploits are reported in the wild yet, but the ease of exploitation and potential impact make this a high-risk vulnerability for WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant threat to the security and operational integrity of websites built on WordPress using the affected HT Contact Form Widget plugin. Successful exploitation can lead to remote code execution, allowing attackers to deploy backdoors, deface websites, steal sensitive data, or pivot to internal networks. This can result in data breaches, service outages, reputational damage, and potential regulatory non-compliance, especially under GDPR requirements for protecting personal data. Organizations relying on WordPress for customer-facing portals, e-commerce, or internal communications are particularly at risk. The unauthenticated nature of the exploit means attackers can scan and target vulnerable sites en masse, increasing the likelihood of widespread compromise. Additionally, the ability to move arbitrary files can disrupt website functionality or enable further exploitation chains. Given the popularity of WordPress in Europe, this vulnerability could impact a broad range of sectors including government, finance, healthcare, and retail.

Immediate mitigation steps include: 1) Identifying and inventorying all WordPress installations using the HT Contact Form Widget plugin, especially versions up to 2.2.1. 2) Temporarily disabling or removing the vulnerable plugin until a security patch is released. 3) Implementing web application firewall (WAF) rules to detect and block suspicious file upload or path traversal attempts targeting the plugin's endpoints. 4) Monitoring web server and application logs for unusual file operations or access patterns related to the plugin. 5) Restricting file system permissions for the WordPress installation to limit the ability of the web server process to move or modify critical files like wp-config.php. 6) Applying principle of least privilege to the web server user to minimize impact if exploited. 7) Keeping WordPress core and all plugins updated, and subscribing to vendor or security mailing lists for timely patch releases. 8) Conducting thorough security audits and integrity checks on affected systems to detect any signs of compromise. These measures go beyond generic advice by focusing on immediate containment, detection, and limiting the attack surface specific to this vulnerability.