WordPress Plugin Vulnerabilities

Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form < 2.10.2 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration

Description

The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions.

Affects Plugins

Plugin icon
bit-form
Fixed in 2.10.2

References

CVE
CVE-2024-1640
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/49ed7d6a-4a65-4efc-90e5-ffa5470d4011

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
809f0248-82cf-4cd9-866b-527bb280e1fa

Timeline

Publicly Published
2024-03-13 (about 2 years ago)
Added
2024-03-13 (about 2 years ago)
Last Updated
2024-03-13 (about 2 years ago)

Other

Published
Title
Published
2025-03-13
Title
WP JobHunt <= 7.1 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
Published
2025-12-29
Title
Backpack Traveler <= 2.10.3 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-12-20
Title
WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference
Published
2022-08-02
Title
Affiliate For WooCommerce < 4.8.0 - Subscriber+ Paypal Email Update via IDOR
Published
2025-11-24
Title
Admin and Customer Messages After Order for WooCommerce: OrderConvo < 15 - Missing Authorization to Unauthenticated Information Disclosure