Server-Side Request Forgery Vulnerability in Contact Form Plugin by Bit Form for WordPress
CVE-2024-13450

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Contact Form By Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form Builder
Vendor: CVE Published:; 25 January 2025

Summary

The Contact Form by Bit Form plugin for WordPress is subject to a Server-Side Request Forgery vulnerability found in all versions up to and including 2.17.4. This security flaw permits authenticated attackers with Administrator-level access to initiate web requests to arbitrary URLs originating from the application itself. This can lead to unauthorized interactions with internal services, which may include querying, modifying sensitive information, or accessing internal resources. The issue is particularly concerning in Multisite setups where multiple sites share the same resources, amplifying the potential impact of the exploit.

Affected Version(s)

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder * <= 2.17.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bit-form/trunk...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 25, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Francesco Carlucci