cleantalk
Vulnerabilities and Security Researches

Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form, CVE-2025-6679

CVE, Research URL

CVE-2025-6679

Home page URL

Security reports for Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form

Application

Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form

Published on
Aug 15, 2025
Research Description
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
Affected versions
Min -, max 2.20.4.
Status
vulnerable
Previous vulnerability researches
B Blocks – The ultimate block collection (CVE-2025-8059) , Aug 12, 2025
B Blocks – The ultimate block collection (ca74bacceb60973eeb228d127379636c61208cb5) , Jun 07, 2024
B Blocks – The ultimate block collection (CVE-2025-32173) , Apr 06, 2025
B Blocks – The ultimate block collection (CVE-2025-54708) , Aug 16, 2025
New vulnerability
Linux Promotional Plugin (CVE-2025-7668) , Aug 17, 2025
Poll Maker – Best WordPress Poll Plugin (CVE-2024-12575) , Aug 17, 2025
Add User Meta (CVE-2025-7688) , Aug 17, 2025
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor (CVE-2025-8896) , Aug 17, 2025
RSS Feed Pro (CVE-2025-53581) , Aug 17, 2025