Skip to main content

Bit Integrations CVE-2026-11989

| EUVDEUVD-2026-37985 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-19 Wordfence GHSA-fxr5-h7mw-3fwm
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Default integration configuration satisfies exploitation, so AC:L; unauthenticated per CVSS PR:N; partial confidentiality and integrity impact from internal service reach; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 06:37 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
MEDIUM 6.5

DescriptionCVE.org

The Bit integrations - Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.

AnalysisAI

Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Bit Integrations active
Delivery
Confirm WooCommerce or Google Contacts attachment field mapping
Exploit
Submit crafted form with attacker-controlled URL to upload_attachment endpoint
Execution
Server fetches attacker-specified internal URL
Impact
Read or modify internal service response data

Vulnerability AssessmentAI

Exploitation Exploitation requires that at least one active Bit Integrations configuration exists on the WordPress site with a form field mapped to one of the following specific WooCommerce fields: product image, product gallery, or downloadable files; OR a Google Contacts attachment field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N yields a base score of 6.5, which accurately represents the network reachability and lack of authentication required, but may understate real-world risk in cloud-hosted WordPress deployments where SSRF can reach instance metadata services (e.g., AWS IMDSv1) and yield credential material. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Bit Integrations with an active WooCommerce or Google Contacts integration that maps an attachment field. The attacker submits a crafted form payload to the upload_attachment endpoint supplying a URL pointing to the AWS instance metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/), causing the web server to fetch and return IAM credential material. …
Remediation Upstream fix available (PR/commit via WordPress plugin repository changeset 3571608); a released patched version number is not independently confirmed from available data - administrators should check the WordPress plugin repository for a version newer than 2.8.7 and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy