WordPress Plugin Vulnerabilities

Contact Form by Bit Form< 2.15.3 - Admin+ Arbitrary File Read

Description

The plugin is vulnerable to arbitrary file read due to improper input validation within the iconUpload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to leverage a PHP filter chain attack and read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
bit-form
Fixed in 2.15.3

References

CVE
CVE-2024-9507
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46842f-ed07-4f72-aedb-aa27baecd79c

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
2.7 (low)

Miscellaneous

Original Researcher
TANG Cheuk Hei (siunam)
Verified
No
WPVDB ID
b3757400-21fd-4cf3-91bb-2bd03d02d980

Timeline

Publicly Published
2024-10-10 (about 1 year ago)
Added
2024-10-11 (about 1 year ago)
Last Updated
2024-10-11 (about 1 year ago)

Other

Published
Title
Published
2025-09-03
Title
atec Debug < 1.2.23 - Admin+ Arbitrary File Read
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents
Published
2021-04-14
Title
Plus Addons for Elementor < 2.0.7 - Contributor+ Arbitrary File Access
Published
2022-08-01
Title
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
Published
2022-10-17
Title
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi