CVE-2024-13451
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitapps | bit_form | to 2.17.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Contact Form by Bit Form WordPress plugin (up to version 2.17.4) and allows unauthenticated attackers to access sensitive information. It occurs because the plugin does not properly prevent directory listing and does not randomize file names for uploaded files. As a result, attackers can retrieve files uploaded via the form, exposing potentially sensitive data. A partial fix was introduced in version 2.17.5.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive data uploaded through the contact forms, which could include personal or confidential information. Since attackers do not need to be authenticated, this increases the risk of data leakage. This exposure could harm privacy, damage trust, and potentially lead to further exploitation depending on the nature of the exposed files.
What immediate steps should I take to mitigate this vulnerability?
Update the Contact Form by Bit Form plugin to version 2.17.5 or later, as this version includes a partial patch for the vulnerability. Additionally, review and restrict file upload permissions and access to uploaded files to prevent unauthorized access.