CVE-2026-14372
HIGHBit Form <= 3.1.1 - Authenticated (Subscriber+) Arbitrary File Deletion via '_old' Parameter
Title source: cnaDescription
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
References (13)
Core 13
Core References
Scores
CVSS v3
7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Details
CWE
CWE-22
Status
published
Products (1)
bitpressadmin/Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder
< 3.1.1
Published
Jul 09, 2026
Tracked Since
Jul 09, 2026