Arbitrary File Upload Vulnerability in Bit Form Builder Plugin by WordPress
CVE-2025-6679

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form Builder
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-6679?

The Bit Form builder plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation across all versions up to and including 2.20.4. This flaw allows unauthenticated attackers to upload harmful files on the server hosting the affected site, potentially leading to remote code execution. The exploit is contingent upon the installation and activation of the PRO version, as well as having a published form that includes an advanced file upload element.

Affected Version(s)

Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder * <= 2.20.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/bit-form/

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Jun 25, 2025

Credit

Nguyen Tan Phat