Arbitrary File Upload Vulnerability in Bit Form Builder Plugin by WordPress
CVE-2025-6679

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form Builder
Vendor
CVE Published:
15 August 2025

What is CVE-2025-6679?

The Bit Form builder plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation across all versions up to and including 2.20.4. This flaw allows unauthenticated attackers to upload harmful files on the server hosting the affected site, potentially leading to remote code execution. The exploit is contingent upon the installation and activation of the PRO version, as well as having a published form that includes an advanced file upload element.

Affected Version(s)

Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder * <= 2.20.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/bit-form/
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Tan Phat
JSON
.
CVE-2025-6679 : Arbitrary File Upload Vulnerability in Bit Form Builder Plugin by WordPress