Server-Side Request Forgery Vulnerability in Bit Integrations Plugin for WordPress
CVE-2026-11989

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Bit Integrations – Form Integration, Webhook, Spreadsheets, Crm, Lms & Email Automation
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-11989?

The Bit Integrations plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) flaw in all versions up to 2.8.7. This vulnerability allows unauthenticated attackers to craft web requests to arbitrary locations, leveraging the upload_attachment functionality. If a form integration is configured with fields related to WooCommerce product images or downloadable files, attackers can exploit this misconfiguration to query and manipulate internal services, potentially leading to unauthorized access or data breaches.

Affected Version(s)

Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation 0 <= 2.8.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bit-integratio...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Chris Peterson

CVE-2026-11989 Data

JSON