Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Default integration configuration satisfies exploitation, so AC:L; unauthenticated per CVSS PR:N; partial confidentiality and integrity impact from internal service reach; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Bit integrations - Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.
AnalysisAI
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that at least one active Bit Integrations configuration exists on the WordPress site with a form field mapped to one of the following specific WooCommerce fields: product image, product gallery, or downloadable files; OR a Google Contacts attachment field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N yields a base score of 6.5, which accurately represents the network reachability and lack of authentication required, but may understate real-world risk in cloud-hosted WordPress deployments where SSRF can reach instance metadata services (e.g., AWS IMDSv1) and yield credential material. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Bit Integrations with an active WooCommerce or Google Contacts integration that maps an attachment field. The attacker submits a crafted form payload to the upload_attachment endpoint supplying a URL pointing to the AWS instance metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/), causing the web server to fetch and return IAM credential material. … |
| Remediation | Upstream fix available (PR/commit via WordPress plugin repository changeset 3571608); a released patched version number is not independently confirmed from available data - administrators should check the WordPress plugin repository for a version newer than 2.8.7 and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37985
GHSA-fxr5-h7mw-3fwm