An SQL Injection flaw exists in the Bit Form plugin for WordPress, where user input is not properly sanitized before being embedded in an SQL statement. This vulnerability can allow an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data extraction, alteration, or loss of integrity. The weakness is a classic example of improper neutralization of special elements used in an SQL command, classified under CWE-89, which compromises the confidentiality, integrity, or availability of the database and possibly the broader hosting environment.

The Bit App’s Bit Form plugin is affected in all releases up to and including version 2.21.10. Systems running WordPress with any of these plugin versions are vulnerable. Administrators should verify the installed plugin version and upgrade if it falls within the affected range.

The CVSS score of 7.6 reflects a moderate to high severity, but the EPSS of less than 1% indicates a low probability that this vulnerability is actively exploited in the wild at the time of analysis. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector involves an HTTP request that reaches the plugin’s endpoint, as is typical for WordPress plugin weaknesses. Exploitation would require the attacker to supply crafted input to the vulnerable parameter, which the plugin then passes directly to the database.