Bit Form <= 3.1.1 - Authenticated (Subscriber+) Arbitrary File Deletion via '_old' Parameter
Summary
| CVE | CVE-2026-14372 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 11:16:24 UTC |
| Updated | 2026-07-09 16:19:45 UTC |
| Description | The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config). |
Risk And Classification
Primary CVSS: v3.1 7.1 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Bitpressadmin | Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder | affected 3.1.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Form/FormManager.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Admin/Form/Helpers.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Core/Util/FileHandler.php | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/943668eb-0185-4029-9459-f9914... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/changeset/3598554/bit-form/trunk/includes/Core/Form/FormManag... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Frontend/Ajax/FrontendAj... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Frontend/Ajax/FrontendAjax.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Form/FormManager.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/tags/3.1.1/includes/Admin/Form/Helpers.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/changeset | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Core/Util/FileHandler.php | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Athiwat Tiprasaharn (Jitlada) (en)
CNA: Itthidej Aramsri (Boeing777) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-07-01T20:12:49.000Z | Vendor Notified |
| CNA | 2026-07-08T21:29:05.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.