CVE-2025-6679

CRITICAL

Bit Form builder plugin for WordPress <2.20.4 - File Upload

Title source: llm

Description

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3343461%40bit-form%2Ftrunk&old=3336733%40bit-form%2Ftrunk&sfp_email=&sfph_mail=

Product

https://wordpress.org/plugins/bit-form/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634?source=cve

Scores

CVSS v3 9.8

EPSS 0.0066

EPSS Percentile 71.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

bitpressadmin/Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder < 2.20.3

bitpressadmin/Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder < 2.20.3

Published Aug 15, 2025

Tracked Since Feb 18, 2026