A critical vulnerability exists in the HT Contact Form Widget plugin for WordPress, allowing an unauthenticated attacker to upload arbitrary files to the server. This flaw stems from a failure to validate file types during the upload process. Successful exploitation could lead to a complete compromise of the affected website, enabling an attacker to execute malicious code, steal sensitive data, and take full control of the web server.

The vulnerability is an Unrestricted File Upload flaw. An attacker can use the file upload functionality within a contact form created by the plugin to upload a malicious script (e.g., a PHP web shell) disguised as a standard file. The back-end process, which handles temporary file storage, fails to properly validate the file's extension or content type, allowing the malicious file to be saved to a web-accessible directory on the server. The attacker can then directly access the URL of the uploaded file to execute arbitrary code with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Exploitation can lead to a full server compromise, resulting in severe consequences such as the theft of confidential business data, customer personally identifiable information (PII), and payment details. Further risks include website defacement, reputational damage, the hosting of malware or phishing pages on the corporate domain, and the use of the compromised server as a pivot point for further attacks against the internal network.

Immediate Action: Immediately update The HT Contact Form Widget For Elementor Page Builder plugin to the latest patched version provided by the vendor. After the update, thoroughly test all contact forms to ensure their functionality has not been adversely affected.

Proactive Monitoring:

• Log Analysis: Review web server access logs for POST requests to form submission endpoints that include file uploads with suspicious extensions (e.g., .php, .phtml, .phar). Also, search for GET requests to unexpected files within the WordPress wp-content/uploads/ directory.
• File Integrity Monitoring (FIM): Implement or check FIM tools for alerts related to new, unauthorized files being created in web-accessible directories.
• Network Traffic: Monitor for unusual outbound connections from the web server, which could indicate a command-and-control (C2) channel established by a web shell.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to inspect file uploads and block files with executable extensions.
• Disable Feature: If the file upload capability on the contact form is not a business-critical requirement, disable it within the plugin's settings as a temporary measure.
• Server Hardening: Configure the web server to prevent script execution in the uploads directory. For Apache, this can be accomplished with a .htaccess file containing rules to disallow script execution.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high potential for complete system compromise, we recommend immediate and urgent action. The primary course of action is to apply the vendor-supplied patch across all websites using this plugin without delay. Before and after patching, organizations should proactively hunt for indicators of compromise outlined in the monitoring plan to ensure the vulnerability has not already been exploited. Although this CVE is not yet on the CISA KEV list, its severity makes it a prime candidate for future inclusion and widespread exploitation.