Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bit Apps Bit Form bit-form allows Phishing.This issue affects Bit Form: from n/a through <= 2.18.0.
Published: 2025-03-27
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bit Form plugin for WordPress contains an open redirect flaw. A crafted URL can be used to send visitors to any site that the attacker chooses. This vulnerability can facilitate phishing attacks, allowing attackers to impersonate legitimate content and trick users into submitting credentials or other sensitive data. The weakness corresponds to CWE‑601.

Affected Systems

Bit Apps Bit Form plugin, all releases through version 2.18.0. Any WordPress site that has this plugin installed and configured with the redirect functionality exposed is affected. Versions 2.18.1 and later are not affected.

Risk and Exploitability

With a CVSS score of 4.7, the vulnerability presents moderate risk. The EPSS score of less than 1% indicates a very low exploitation probability at present. It is not listed in the CISA KEV catalog. The likely attack vector is via a malicious link that the attacker embeds in emails or social media posts, exploiting the redirect endpoint of the plugin. Successful exploitation results in user redirection to a malicious site but does not grant further access to the server or data.

Generated by OpenCVE AI on May 1, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Bit Form to a version newer than 2.18.0.
  • If an update cannot be performed immediately, disable the redirect feature in the plugin settings or remove the redirect endpoint altogether.
  • Deploy a web application firewall rule that blocks or sanitizes redirect URLs containing untrusted domains.

Generated by OpenCVE AI on May 1, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8316 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bit Apps Bit Form – Contact Form Plugin allows Phishing. This issue affects Bit Form – Contact Form Plugin: from n/a through 2.18.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bit Apps Bit Form – Contact Form Plugin allows Phishing. This issue affects Bit Form – Contact Form Plugin: from n/a through 2.18.0. URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bit Apps Bit Form bit-form allows Phishing.This issue affects Bit Form: from n/a through <= 2.18.0.
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Thu, 27 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bit Apps Bit Form – Contact Form Plugin allows Phishing. This issue affects Bit Form – Contact Form Plugin: from n/a through 2.18.0.
Title WordPress Bit Form plugin <= 2.18.0 - Open Redirection vulnerability
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.795Z

Reserved: 2025-03-26T09:21:23.220Z

Link: CVE-2025-30885

cve-icon Vulnrichment

Updated: 2025-03-27T16:24:37.175Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:49.493

Modified: 2026-04-23T15:27:15.753

Link: CVE-2025-30885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses