Data Exposure in Bit Form Contact Form Plugin for WordPress
CVE-2024-12190

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form By Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form Builder
Vendor: CVE Published:; 25 December 2024

What is CVE-2024-12190?

The Contact Form by Bit Form, including its Multi Step Form, Calculation Contact Form, Payment Contact Form, and Custom Contact Form builder, contains a security vulnerability that exposes sensitive data. Due to a lack of necessary capability checks on the 'bitform-form-entry-edit' endpoint, authenticated users with Subscriber-level access and higher can access form submissions made by other users. This flaw affects all versions of the plugin up to and including 2.17.3, potentially compromising user privacy and data security on WordPress sites utilizing these contact forms.

Affected Version(s)

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder * <= 2.17.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3204875/bit-...

https://plugins.trac.wordpress.org/changeset/3209668/bit-...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Dec 4, 2024

Credit

Akbar Kustirama