CVE-2025-7360 — AI Deep Analysis Summary

🚨 **Essence**: Path Traversal (CWE-22) in HT Contact Form Widget. 📉 **Consequences**: High Integrity & Availability impact.…

🔍 **Root Cause**: Improper input validation in the `han` function (likely related to file path handling). 📂 **CWE**: CWE-22 (Path Traversal).…

🎯 **Affected**: WordPress Plugin: **HT Contact Form – Drag & Drop Form Builder**. 📦 **Version**: 2.2.1 and earlier. 🏢 **Vendor**: htplugins. If you use this form builder, you are at risk. 📉

💀 **Attacker Actions**: Full file read/write access. 📄 Can read config files (DB creds), core WP files, or inject malicious PHP shells. 🔓 **Privileges**: No authentication required (PR:N).…

🚪 **Threshold**: LOW. 🛡️ **Auth**: None required (PR:N). 🌐 **Network**: Network accessible (AV:N). 🖱️ **UI**: No user interaction needed (UI:N). 📊 **Complexity**: Low (AC:L). Easy to exploit remotely. ⚡

📜 **Public Exp?**: No specific PoC code provided in the data. 🌐 **References**: WordFence and WP Trac links exist. 🕵️‍♂️ **Status**: Likely exploitable given CVSS 3.1/AV:N/AC:L/PR:N.…

🔎 **Self-Check**: Scan for plugin `ht-contactform`. 📂 **Version Check**: Ensure version > 2.2.1. 🧪 **Test**: Look for file inclusion errors in logs if testing safely.…

🛠️ **Fix**: Yes, a patch exists. 📝 **Commit**: Changeset 3326887 in `admin/Includes/Api/Endpoints/Submission.php`. 🔗 **Link**: WordPress Trac reference provided. ✅ **Action**: Update to the latest version immediately. 🚀

🚧 **No Patch?**: Disable the plugin immediately. 🗑️ **Remove**: Uninstall if not needed. 🛡️ **WAF**: Block requests containing `../` or path traversal patterns. 🚫 **Isolate**: Restrict file permissions.…

🔥 **Urgency**: HIGH. 🚨 **CVSS**: High severity (I:H, A:H). 📅 **Published**: 2025-07-15. ⏳ **Time**: Critical to patch now. 🏃‍♂️ **Priority**: Immediate action required to prevent compromise. 🚨