Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form Builder
Approved changes feed: RSS · Atom
cpe:2.3:a:bitpressadmin:bit_form_–_custom_contact_form,_multi_step,_conversational_form_&_payment_form_builder:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Bitpressadmin (6145715e-8d5d-56ce-b3e4-03c497ba25bd) |
|---|---|
| Product | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form Builder (111a63d0-61d1-5667-96bd-b8f57ee2294e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-6679 |
vulnerable | 2026-06-08 07:43:15.879813 |
Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload
CRITICAL (9.8)
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
Published: 2025-08-15T06:40:42.601Z
Updated: 2026-04-08T16:59:38.425Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2580 |
vulnerable | 2026-06-08 07:16:57.592734 |
Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
MEDIUM (4.9)
The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-04-25T05:25:06.373Z
Updated: 2026-04-08T16:40:57.362Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14901 |
vulnerable | 2026-06-08 07:06:35.336009 |
Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay
MEDIUM (6.5)
The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response.
Published: 2026-01-07T06:35:57.705Z
Updated: 2026-04-08T16:33:04.061Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9507 |
vulnerable | 2026-06-08 07:00:28.094347 |
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.15.2 - Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read
MEDIUM (4.9)
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.15.2 due to improper input validation within the iconUpload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to leverage a PHP filter chain attack and read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2024-10-11T07:37:45.931Z
Updated: 2026-04-08T17:14:21.751Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6123 |
vulnerable | 2026-06-08 06:58:17.888860 |
Bit Form <= 2.13.3 - Authenticated (Administrator+) Arbitrary File Upload
HIGH (7.2)
The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2024-07-09T07:38:45.238Z
Updated: 2026-04-08T16:59:21.319Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1640 |
vulnerable | 2026-06-08 06:27:13.955914 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13451 |
vulnerable | 2026-06-08 06:25:37.710019 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13450 |
vulnerable | 2026-06-08 06:25:37.708899 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12190 |
vulnerable | 2026-06-08 06:23:51.417525 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.