Description
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
Published: 2025-08-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Upload that can lead to remote code execution
Action: Apply Patch
AI Analysis

Impact

The Bit Form builder plugin for WordPress allows unauthenticated attackers to upload arbitrary files because it lacks file type validation. If the PRO edition is installed and an advanced file upload element is published, an attacker can place files on the server, potentially enabling remote code execution. The vulnerability is a classic instance of CWE‑434, where insufficient validation of uploaded content creates an attack vector.

Affected Systems

WordPress sites running the Bit Form contact‑form plugin (bitpressadmin Bit‑Form) with versions up to and including 2.20.4, especially when the PRO edition is activated and a form featuring the advanced file‑upload field has been published.

Risk and Exploitability

The CVSS score of 9.8 classifies it as critical, while the EPSS score of < 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs to visit the site and submit the form that contains the upload element; no authentication is required. Successful exploitation would allow the attacker to place arbitrary files on the web‑root, which could be executed by the web server, leading to full remote compromise of the affected host.

Generated by OpenCVE AI on April 22, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bit Form to a version later than 2.20.4, which removes the missing file‑type validation.
  • If an upgrade is not immediately possible, delete the PRO edition and any forms that contain the advanced file‑upload element until a fix is applied.
  • Disable or restrict the upload directory’s write permissions and monitor the upload folder for unexpected files.

Generated by OpenCVE AI on April 22, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24991 The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bitpressadmin
Bitpressadmin contact Form By Bit Form Multi Step Form
Wordpress
Wordpress wordpress
Vendors & Products Bitpressadmin
Bitpressadmin contact Form By Bit Form Multi Step Form
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
Title Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Bitpressadmin Contact Form By Bit Form Multi Step Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:38.425Z

Reserved: 2025-06-25T19:36:25.214Z

Link: CVE-2025-6679

cve-icon Vulnrichment

Updated: 2025-08-15T12:05:18.634Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T07:15:28.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses