CVE-2026-11989 - Vulnerability Details

Description

The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.

Published: 2026-06-19

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Bit integrations plugin for WordPress contains an SSRF flaw in the upload_attachment handling code that permits unauthenticated users to instruct the server to make HTTP or HTTPS requests to any URL. This behavior allows attackers to read or modify data on internal hosts that are normally unreachable from the outside, potentially exposing sensitive information or altering internal services. The weakness arises from improper validation of the requested resource and is classified as CWE‑918.

Affected Systems

WordPress sites that have installed the Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin in any version up to and including 2.8.7. The vulnerability is triggered when a form integration is configured with a mapping to a WooCommerce product image, product gallery, downloadable files, or a Google Contacts attachment field – all common default configurations.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, yet the vulnerability can be triggered by any visitor to the site without authentication. Exploitability does not require additional privileges or knowledge of secrets; an attacker simply creates or targets a vulnerable form mapping. Because the EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the publicly known exploitation rate is uncertain, but the attack vector remains highly feasible for determined adversaries seeking internal reconnaissance or modification.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bitpressadmin

Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.8.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Bit integrations plugin to version 2.8.8 or later once it becomes available, as this change removes the SSRF flaw.
Reconfigure existing form integrations to avoid mapping any fields that can trigger outbound requests, particularly those pointing to product images, galleries, downloadable files, or external service attachments.
If an update is not immediately possible, isolate the affected WordPress instance from internal networks or enforce stricter outbound filtering to block connections initiated by the plugin to unauthorized internal addresses.

Generated by OpenCVE AI on June 19, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L139
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L168
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L584
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L631
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L139
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L168
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L584
https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L631
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571608%40bit-integrations&new=3571608%40bit-integrations&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf8d5c2-dbb1-47d5-b858-da6f6e1989f4?source=cve

History

Fri, 19 Jun 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.
Title		Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L139 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L168 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L584 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L631 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L139 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L168 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L584 https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L631 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571608%40bit-integrations&new=3571608%40bit-integrations&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf8d5c2-dbb1-47d5-b858-da6f6e1989f4?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-19T04:31:33.792Z

Updated: 2026-06-19T04:31:33.792Z

Reserved: 2026-06-11T14:30:23.613Z

Link: CVE-2026-11989

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object