FKIE_CVE-2026-14372

Vulnerability from fkie_nvd - Published: 2026-07-09 11:16 - Updated: 2026-07-09 16:19
Summary
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Admin/Form/Helpers.php#L302
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php#L1039
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php#L1044
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Util/FileHandler.php#L129
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Frontend/Ajax/FrontendAjax.php#L87
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Admin/Form/Helpers.php#L302
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php#L1039
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php#L1044
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Util/FileHandler.php#L129
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Frontend/Ajax/FrontendAjax.php#L87
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3598554/bit-form/trunk/includes/Core/Form/FormManager.php
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset?old_path=%2Fbit-form/tags/3.1.1&new_path=%2Fbit-form/tags/3.1.2
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/943668eb-0185-4029-9459-f99141bf84cf?source=cve
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Bit Form \u2013 Contact Form, Payment Forms, Multi Step Forms, Calculator \u0026 Custom Form Builder",
          "vendor": "bitpressadmin",
          "versions": [
            {
              "lessThanOrEqual": "3.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "security@wordfence.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Bit Form \u2013 Contact Form, Payment Forms, Multi Step Forms, Calculator \u0026 Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config)."
    }
  ],
  "id": "CVE-2026-14372",
  "lastModified": "2026-07-09T16:19:45.567",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-14372",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-07-09T12:31:31.823720Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-07-09T11:16:24.910",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Admin/Form/Helpers.php#L302"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php#L1039"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php#L1044"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Util/FileHandler.php#L129"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Frontend/Ajax/FrontendAjax.php#L87"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Admin/Form/Helpers.php#L302"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php#L1039"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php#L1044"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Util/FileHandler.php#L129"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Frontend/Ajax/FrontendAjax.php#L87"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3598554/bit-form/trunk/includes/Core/Form/FormManager.php"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbit-form/tags/3.1.1\u0026new_path=%2Fbit-form/tags/3.1.2"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/943668eb-0185-4029-9459-f99141bf84cf?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…