Arbitrary File Deletion Vulnerability in Bit Form Plugin for WordPress
CVE-2026-14372

7.1HIGH

What is CVE-2026-14372?

The Bit Form plugin for WordPress contains a security vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary files from the server. This weakness stems from inadequate validation in the deleteFiles function across all versions up to and including 3.1.1. If exploited, this can lead to severe consequences, such as remote code execution, especially if critical files like wp-config are removed. Website administrators should take immediate action to secure their installations.

Affected Version(s)

Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder 0 <= 3.1.1

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn (Jitlada)
Itthidej Aramsri (Boeing777)
.