A critical vulnerability has been discovered in a popular WordPress plugin, "The HT Contact Form Widget For Elementor Page Builder." This flaw allows an unauthenticated attacker to move files on the server to arbitrary locations, which could lead to the exposure of sensitive configuration files or remote code execution. Successful exploitation would result in a complete compromise of the affected website, potentially leading to data theft and significant operational disruption.

The vulnerability exists due to insufficient validation of file paths within a function responsible for moving files. An attacker can manipulate the input parameters of this function, likely through a contact form submission, to include path traversal sequences (e.g., ../../..). This allows them to specify a sensitive source file, such as wp-config.php, and move it to a web-accessible directory like /wp-content/uploads/. Once moved, the attacker can download the file via their browser to steal database credentials and other sensitive configuration details, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe and direct impact on the business. If an attacker successfully moves and accesses the wp-config.php file, they will gain access to the website's database credentials. This can lead to a complete data breach, including the theft of customer information, intellectual property, and other sensitive data. Furthermore, this level of access could be leveraged to achieve remote code execution, allowing the attacker to take full control of the web server, deface the website, host malware, or use the server to attack other systems, causing significant reputational damage and financial loss.

Immediate Action: Immediately apply the security update provided by the vendor to patch "The HT Contact Form Widget For Elementor Page Builder" to the latest version. After patching, review web server access logs and file system integrity for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement continuous monitoring of server logs for suspicious activity. Specifically, look for unusual file system operations, unexpected POST requests to form endpoints containing file path syntax, and access attempts to sensitive files (e.g., wp-config.php) in unusual locations. Monitor for the creation of unexpected files, especially PHP files, within public directories like /uploads.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable the Plugin: Temporarily disable and deactivate the vulnerable plugin until it can be safely updated.
• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to block path traversal attacks and malicious file uploads.
• File Permissions: Enforce strict file system permissions to prevent the web server process from reading critical files outside of its webroot or writing to non-essential directories.

Public Exploit Available: false

Due to the critical severity of this vulnerability, we strongly recommend immediate and prioritized action. The primary course of action is to update the affected plugin across all WordPress instances without delay. The risk of a full website and server compromise is high. If patching cannot be performed immediately, the plugin must be disabled until a maintenance window is available. The implementation of compensating controls like a WAF is recommended as a standard security practice but should be considered a temporary mitigation, not a substitute for patching.