Arbitrary File Deletion Vulnerability in Bit Form Plugin for WordPress
CVE-2026-14372
7.1HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-14372?
The Bit Form plugin for WordPress contains a security vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary files from the server. This weakness stems from inadequate validation in the deleteFiles function across all versions up to and including 3.1.1. If exploited, this can lead to severe consequences, such as remote code execution, especially if critical files like wp-config are removed. Website administrators should take immediate action to secure their installations.
Affected Version(s)
Bit Form β Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder 0 <= 3.1.1
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Athiwat Tiprasaharn (Jitlada)
Itthidej Aramsri (Boeing777)