CVE-2025-6679
BaseFortify
Publication date: 2025-08-15
Last updated on: 2025-08-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | bit_form | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Bit Form builder plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the affected site's server because the plugin lacks proper file type validation in all versions up to and including 2.20.4. Exploiting this requires the PRO version of the plugin to be installed and activated, and a form with an advanced file upload element to be published. This can potentially lead to remote code execution on the server.
How can this vulnerability impact me? :
The vulnerability can allow attackers to upload malicious files to your server without authentication, which may lead to remote code execution. This can result in full compromise of the affected website, including data theft, site defacement, or use of the server for further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Bit Form builder plugin to a version later than 2.20.4 where the issue is fixed. Additionally, if you are using the PRO version and have published forms with advanced file upload elements, consider disabling or removing those forms until the update is applied. Restricting file upload permissions and monitoring for unauthorized uploads can also help reduce risk.