Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Network-reachable AJAX endpoint (AV:N/AC:L) needing only subscriber auth (PR:L); arbitrary file deletion is primarily an integrity and availability loss (I:H/A:H) with no direct data disclosure (C:N).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Bit Form - Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
AnalysisAI
Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with subscriber-level access or above (CVSS PR:L) on a WordPress site running Bit Form version ≤3.1.1, and reachability of the plugin's frontend AJAX file-deletion endpoint (FrontendAjax.php handler invoking deleteFiles). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H, base 7.1) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction - a realistic threat because subscriber accounts are frequently self-registerable on WordPress sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a subscriber account on a WordPress site running Bit Form ≤3.1.1, then sends a crafted AJAX request to the frontend file handler with a traversal path pointing at wp-config.php. WordPress, unable to find its configuration, drops into setup mode, allowing the attacker to reconnect the site to an attacker-controlled database and achieve administrative control and code execution. … |
| Remediation | Vendor-released patch: update the Bit Form plugin to version 3.1.2 or later, which fixes the deleteFiles path validation (see the trac changeset https://plugins.trac.wordpress.org/changeset/3598554/bit-form/trunk/includes/Core/Form/FormManager.php and the 3.1.1→3.1.2 diff https://plugins.trac.wordpress.org/changeset?old_path=%2Fbit-form/tags/3.1.1&new_path=%2Fbit-form/tags/3.1.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all WordPress sites running Bit Form plugin (versions ≤3.1.1), document installed versions and active user accounts, disable or deactivate the plugin across all instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42564
GHSA-6xr5-pj36-4gcg