WordPress Plugin Vulnerabilities

Bit Form < 2.13.4 - Authenticated (Administrator+) Arbitrary File Upload

Description

The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
bit-form
Fixed in 2.13.4

References

CVE
CVE-2024-6123
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d1b255f-d775-4bd5-892e-42bf82dd5632

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
f73533e1-8c83-47f3-b441-bbd645716f43

Timeline

Publicly Published
2024-07-08 (about 1 year ago)
Added
2024-07-08 (about 1 year ago)
Last Updated
2024-08-14 (about 1 year ago)

Other

Published
Title
Published
2015-05-03
Title
Showbiz Pro <= 1.7.1 - Shell Upload
Published
2021-10-13
Title
Brizy < 2.3.12 - Authenticated File Upload and Path Traversal
Published
2026-04-16
Title
Academy LMS Pro < 3.5.2 - Authenticated (Custom+) Arbitrary File Upload
Published
2024-04-25
Title
XStore Core <= 5.3.5 - Authenticated (Subscriber+) Limited Arbitrary File Upload
Published
2015-03-04
Title
DesignFolio Plus Theme <= 1.2 - Arbitrary File Upload