Contact Form by Bit Form

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.

Basic Information

ID CVE-2025-6679

Source Wordfence

Published Aug 15, 2025 at 06:40

Affected Product

Vendor bitpressadmin

Product Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder

Version *

Affected Versions bitpressadmin Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder *

CWE Classification

CWE-434

References

{
    "lastseen": "",
    "description": "The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.",
    "published": "2025-08-15T06:40:42.601Z",
    "modified": "2025-08-15T06:40:42.601Z",
    "type": "cve",
    "title": "Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634?source=cve\nhttps://wordpress.org/plugins/bit-form/\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3343461%40bit-form%2Ftrunk&old=3336733%40bit-form%2Ftrunk&sfp_email=&sfph_mail=",
    "id": "CVE-2025-6679",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "bitpressadmin Bit Form \u2013 Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Bit Form \u2013 Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder",
    "version": "*",
    "vendor": "bitpressadmin",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Contact Form by Bit Form – Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload_CVE-2025-6679