Bit Form Pro < 2.8.0 – Unauthenticated Arbitrary File Deletion | CVE 2024-43248 | Plugin Vulnerabilities

Description

The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.6.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 2.8.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7a09288c-b8de-4674-9f96-d26ff3c7d917

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dave Jong

Verified

No

WPVDB ID

9691f6fd-4223-4b38-a668-7d0780609b5d

Timeline

Publicly Published

2024-08-12 (about 1 year ago)

Added

2024-08-22 (about 1 year ago)

Last Updated

2025-11-29 (about 3 months ago)

Other

Published

Title

Published

2025-06-27

Title

Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter

Published

2014-08-01

Title

Myflash - myextractXML.php path Parameter Arbitrary File Access

Published

2025-11-07

Title

WPFunnels < 3.6.3 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal

Published

2025-10-24

Title

Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings < 8.4.9 - Authenticated (Subscriber+) Arbitrary File Move

Published

2018-12-07

Title

WP Payeezy Pay < 2.98 - Local File Inclusion