Description
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
Published: 2026-07-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bit Form plugin includes a flaw that allows authenticated users with subscriber-level access or higher to delete any file on the server. The deleteFiles function does not properly validate the file path it receives, which makes it possible to supply a path that references critical WordPress files such as wp-config.php. By removing such a file, an attacker can gain remote code execution privileges or disrupt the site. This flaw is a classic operating‑system path traversal and file deletion issue (CWE‑22).

Affected Systems

Affected products are the WordPress plugin Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder, distributed by bitpressadmin. All versions up to and including 3.1.1 are impacted. Users running version 3.1.1 or earlier should verify their version and apply updates as soon as a fix is released.

Risk and Exploitability

The vulnerability has a CVSS v3.1 base score of 7.1, indicating high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, which means no known exploitation has been reported yet. However, because the flaw requires only authenticated subscriber or higher access—roles that many sites grant to a large user base—the exploitation effort is low once the attacker has legitimate credentials. Once authenticated, the attacker can trigger the delete action through the plugin’s administrative or Ajax endpoints and supply a target path. If the attacker deletes a sensitive file, remote code execution or site compromise can follow.

Generated by OpenCVE AI on July 9, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bit Form plugin to a version that resolves the deletion flaw (any release newer than 3.1.1).
  • Temporarily revoke or reduce subscriber and higher user roles from accessing the plugin’s delete interface, or remove those roles from the site if they are not needed.
  • Implement file‑system permissions or use a security plugin to restrict write and delete rights for WordPress files, ensuring wp-config.php and other critical files are not world‑writeable.
  • Monitor the file system or use logging to detect unexpected deletion events.

Generated by OpenCVE AI on July 9, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Description The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
Title Bit Form <= 3.1.1 - Authenticated (Subscriber+) Arbitrary File Deletion via '_old' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-09T12:31:38.236Z

Reserved: 2026-07-01T19:57:09.003Z

Link: CVE-2026-14372

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T23:00:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')