WordPress Plugin Vulnerabilities

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder < 2.17.4 - Missing Authorization to Authenticated (Subscriber+) Form Submission Disclosure

Description

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions up to, and including, 2.17.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all form submissions from other users.

Affects Plugins

Plugin icon
bit-form
Fixed in 2.17.4

References

CVE
CVE-2024-12190
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce9dab37-4118-4e13-857c-9aa072d25edf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Akbar Kustirama
Verified
No
WPVDB ID
b65f6de5-1cd7-41eb-b67d-339fec993f98

Timeline

Publicly Published
2024-12-24 (about 1 year ago)
Added
2024-12-24 (about 1 year ago)
Last Updated
2024-12-25 (about 1 year ago)

Other

Published
Title
Published
2025-11-21
Title
GoDAM < 1.4.7 - Missing Authorization
Published
2026-03-20
Title
Comments Import & Export < 2.5.0 - Missing Authorization
Published
2024-10-24
Title
Bold Page Builder < 5.1.4 - Missing Authorization
Published
2025-02-14
Title
Analytify < 5.5.1 - Missing Authorization
Published
2026-01-08
Title
Ultimate Gift Cards for WooCommerce < 3.2.5 - Missing Authorization