Unauthorized Workflow Execution in Bit Form Contact Form Plugin by WordPress
CVE-2025-14901

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form Builder
Vendor
CVE Published:
7 January 2026

What is CVE-2025-14901?

The Bit Form – Contact Form Plugin for WordPress has a security flaw that allows unauthorized workflow executions. This vulnerability stems from a logic error in the nonce verification process within the triggerWorkFlow function. Specifically, the security mechanism only prevents requests when nonce verification fails, provided the user is logged in. As a result, unauthenticated attackers can exploit this flaw by replaying form workflow executions if they manage to obtain the entry ID and log IDs from a legitimate form submission. This opens the door to unauthorized triggers of all configured integrations, including webhooks, email notifications, CRM integrations, and various automation platforms via the bitforms_trigger_workflow AJAX action.

Affected Version(s)

Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder * <= 2.21.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/bit-form/tags/...
https://plugins.trac.wordpress.org/browser/bit-form/tags/...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
JSON
.
CVE-2025-14901 : Unauthorized Workflow Execution in Bit Form Contact Form Plugin by WordPress