Stored Cross-Site Scripting Vulnerability in Contact Form Plugin by Bit Form
CVE-2025-2580
4.9MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 25 April 2025
What is CVE-2025-2580?
The Contact Form by Bit Form plugin for WordPress is susceptible to stored cross-site scripting due to inadequate input sanitization and output escaping when handling SVG file uploads. This vulnerability enables authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. The malicious scripts execute whenever a user accesses the affected SVG file, potentially compromising user data and site integrity.
Affected Version(s)
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder * <= 2.18.3