Contact Form by Bit Form – Bit Form < 2.20.4 – Unauthenticated Arbitrary File Upload | CVE 2025-6679 | Plugin Vulnerabilities

Description

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.

Affects Plugins

Fixed in 2.20.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634

Miscellaneous

Original Researcher

Phat RiO - BlueRock

Verified

No

WPVDB ID

f0b77b18-d8d8-4cc5-b8e0-e9428d381985

Timeline

Publicly Published

2025-08-14 (about 8 months ago)

Added

2025-08-14 (about 8 months ago)

Last Updated

2025-08-15 (about 8 months ago)

Other

Published

Title

Published

2020-07-28

Title

Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload

Published

2021-08-16

Title

Email Artillery <= 4.1 - Arbitrary File Upload

Published

2025-12-04

Title

ContentStudio < 1.4.0 - Authenticated (Author+) Arbitrary File Upload

Published

2024-01-18

Title

AI Engine < 2.1.5 - Editor+ Arbitrary File Upload via add_image_from_url

Published

2025-10-28

Title

Contact Form 7 PDF, Google Sheet & Database < 3.1.0 - Authenticated (Subscriber+) Arbitrary File Upload