Skip to main content

Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder

1 CVEs product

Monthly

CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
EPSS 1% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy