Back to overview

CVE-2026-14372

HIGH
7.1
CVSS 3.1
Description
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).

Metadata

CVE ID
CVE-2026-14372
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-01 19:57 UTC
Published
2026-07-09 09:31 UTC
Last updated
2026-07-09 12:31 UTC
Primary CWE
CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product
bitpressadmin / Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
bitpressadmin Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder 0 ≤ 3.1.1
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Back to overview