Skip to main content

Bit Form CVE-2026-14372

| EUVDEUVD-2026-42564 HIGH
Path Traversal (CWE-22)
2026-07-09 Wordfence GHSA-6xr5-pj36-4gcg
7.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
vuln.today AI
8.1 HIGH

Network-reachable AJAX endpoint (AV:N/AC:L) needing only subscriber auth (PR:L); arbitrary file deletion is primarily an integrity and availability loss (I:H/A:H) with no direct data disclosure (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:30 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
HIGH 7.1

DescriptionCVE.org

The Bit Form - Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).

AnalysisAI

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber account on target
Delivery
Send crafted AJAX request to deleteFiles endpoint
Exploit
Traverse path to delete wp-config.php
Execution
WordPress enters setup mode
Persist
Reconnect to attacker DB
Impact
Gain admin and execute code

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with subscriber-level access or above (CVSS PR:L) on a WordPress site running Bit Form version ≤3.1.1, and reachability of the plugin's frontend AJAX file-deletion endpoint (FrontendAjax.php handler invoking deleteFiles). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H, base 7.1) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction - a realistic threat because subscriber accounts are frequently self-registerable on WordPress sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a subscriber account on a WordPress site running Bit Form ≤3.1.1, then sends a crafted AJAX request to the frontend file handler with a traversal path pointing at wp-config.php. WordPress, unable to find its configuration, drops into setup mode, allowing the attacker to reconnect the site to an attacker-controlled database and achieve administrative control and code execution. …
Remediation Vendor-released patch: update the Bit Form plugin to version 3.1.2 or later, which fixes the deleteFiles path validation (see the trac changeset https://plugins.trac.wordpress.org/changeset/3598554/bit-form/trunk/includes/Core/Form/FormManager.php and the 3.1.1→3.1.2 diff https://plugins.trac.wordpress.org/changeset?old_path=%2Fbit-form/tags/3.1.1&new_path=%2Fbit-form/tags/3.1.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress sites running Bit Form plugin (versions ≤3.1.1), document installed versions and active user accounts, disable or deactivate the plugin across all instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy