WordPress Plugin Vulnerabilities

Bit Form – Contact Form Plugin < 2.21.7 - Missing Authorization to Unauthenticated Workflow Replay

Description

The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response.

Affects Plugins

Plugin icon
bit-form
Fixed in 2.21.7

References

CVE
CVE-2025-14901
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
andrea bocchetti
Verified
No
WPVDB ID
397fd5e3-ae63-4424-88c8-0309f10f6367

Timeline

Publicly Published
2026-01-06 (about 4 months ago)
Added
2026-01-06 (about 4 months ago)
Last Updated
2026-01-07 (about 4 months ago)

Other

Published
Title
Published
2025-12-11
Title
Laser <= 1.1.1 - Missing Authorization
Published
2025-12-14
Title
CMSMasters Content Composer < 2.5.9 - Missing Authorization
Published
2023-09-20
Title
Inactive Logout < 3.2.3 - Missing Authorization
Published
2025-12-15
Title
Easy Form Builder < 3.8.21 - Missing Authorization
Published
2025-11-29
Title
Notification for Telegram < 3.5.2 - Missing Authorization