Bit Form <= 2.13.3 - Authenticated (Administrator+) Arbitrary File Upload
CVE-2024-6123

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Contact Form By Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form Builder
Vendor: CVE Published:; 9 July 2024

Summary

The Bit Form plugin for WordPress presents a significant vulnerability involving arbitrary file uploads due to inadequate file type validation in the 'iconUpload' function. This flaw affects all versions of the plugin up to and including 2.13.3. When exploited by authenticated users with administrator-level permissions, it allows the potential for unauthorized uploads of arbitrary files to the server. Such actions could lead to serious issues, including remote code execution, posing a substantial risk to the integrity and security of affected WordPress sites. Site administrators are advised to review their plugin versions and consider applying necessary security measures.

Affected Version(s)

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder * <= 2.13.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bit-form/tags/...

https://plugins.trac.wordpress.org/changeset/3114814/bit-...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 9, 2024

Credit

István Márton