Impact
The Bit Form plugin includes a flaw that allows authenticated users with subscriber-level access or higher to delete any file on the server. The deleteFiles function does not properly validate the file path it receives, which makes it possible to supply a path that references critical WordPress files such as wp-config.php. By removing such a file, an attacker can gain remote code execution privileges or disrupt the site. This flaw is a classic operating‑system path traversal and file deletion issue (CWE‑22).
Affected Systems
Affected products are the WordPress plugin Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder, distributed by bitpressadmin. All versions up to and including 3.1.1 are impacted. Users running version 3.1.1 or earlier should verify their version and apply updates as soon as a fix is released.
Risk and Exploitability
The vulnerability has a CVSS v3.1 base score of 7.1, indicating high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, which means no known exploitation has been reported yet. However, because the flaw requires only authenticated subscriber or higher access—roles that many sites grant to a large user base—the exploitation effort is low once the attacker has legitimate credentials. Once authenticated, the attacker can trigger the delete action through the plugin’s administrative or Ajax endpoints and supply a target path. If the attacker deletes a sensitive file, remote code execution or site compromise can follow.
OpenCVE Enrichment