Close Menu
Trending
News

National Vulnerability Database Discovers Three Vulnerabilities That Leave 10,000 WordPress Websites At Risk of Exploitation

Vincent Fermo, GSAS '26By No Comments2 Mins Read
A photo of a computer with different floating icons.
image from istockphoto.com

Recently, three vulnerabilities were discovered that affected over 10,000 WordPress sites.  The vulnerabilities include Arbitrary File Upload, Arbitrary File Deletion, and Arbitrary File Move which could potentially allow unauthorized attackers to execute malicious code or access and delete important files.  The National Vulnerability Database has recorded these vulnerabilities and has provided each of them with a numerical score ranging from 0 (least critical) to 10 (most critical). You can find these and more from the National Institute of Standards and Technology website – nist.gov.

The Vulnerabilities:

CVE-2025-7340 (Score: 9.8 CRITICAL):  The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to unknown file uploads due to a missing file type validation function in every version including its most recent, 2.2.1.  If properly executed, attackers could remotely upload arbitrary files and run remote code execution.  This vulnerability was originally founded on July 14, 2025.

CVE-2025-7341 (Score: 9.8 CRITICAL): Similar to CVE-2025-7340, this vulnerability allowed for file deletion through a temp_file_delete() function due to an insufficient file path.  Research has noted that if a certain file was deleted (i.e. wp-config.php), attackers could enable setup mode of the website and give themselves full control if it was directed towards a new database.

CVE-2025-7360 (Score: 9.8 CRITICAL): This vulnerability allows attackers to move files on the server itself which could lead to remote code execution.

Remediation Strategies:

Listed below are other strategies that students, users, and businesses can use to remain safe.

Update Plugins: 

 

    • This vulnerability has since been patched and WordPress strongly urges users to update to release 2.2.2 immediately.  

    • Using outdated plugins may leave your website vulnerable to such attacks.

Deactivate or Remove Unused Plugins

 

    • By removing any unused plugins, this leads to fewer potential vulnerabilities

    • This can significantly reduce one’s attack surface and potentially limit entry points for unknown threats

Restrict File Permissions:

 

    • Ensure that the WordPress file and the directory permissions follow the principle of least privilege.

    • The principle of least privilege states that systems should restrict access privileges of certain users to the minimum necessary to accomplish tasks.

    • This principle can prevent the execution of unauthorized scripts and the modification or removal of sensitive files

Sources:
https://nvd.nist.gov/vuln/detail/CVE-2025-7340

https://nvd.nist.gov/vuln/detail/CVE-2025-7341

https://nvd.nist.gov/vuln/detail/CVE-2025-7360

I am a Cybersecurity graduate student set to graduate from the Graduate School of Arts and Sciences at Lincoln Center in 2026.

Related Posts