CVE-2025-14901
Unauthorized Workflow Execution in Bit Form Contact Form Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bit_form | contact_form_plugin | to 2.21.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Bit Form β Contact Form Plugin for WordPress is due to a missing authorization check in the triggerWorkFlow function. Specifically, a logic flaw in nonce verification only blocks requests when both the nonce verification fails and the user is logged in. This allows unauthenticated attackers to replay form workflow executions and trigger all configured integrations such as webhooks, email notifications, CRM integrations, and automation platforms by exploiting the bitforms_trigger_workflow AJAX action if they can obtain the entry ID and log IDs from a legitimate form submission.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute workflows configured in the plugin without authorization. This means attackers could trigger actions like sending emails, invoking webhooks, or interacting with CRM and automation platforms, potentially leading to unauthorized data processing, spam, or manipulation of integrated systems. It impacts the integrity and availability of the affected systems by allowing malicious workflow executions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the `bitforms_trigger_workflow` action on your WordPress site, especially those that include valid entry IDs and log IDs without proper authentication. You can use network monitoring tools or web server logs to identify suspicious POST requests to `admin-ajax.php` with the parameter `action=bitforms_trigger_workflow`. For example, using command-line tools: 1. Use grep on your web server access logs to find such requests: `grep 'action=bitforms_trigger_workflow' /path/to/access.log` 2. Use curl to test if the endpoint accepts unauthenticated requests with known entry and log IDs: `curl -X POST -d 'action=bitforms_trigger_workflow&entry_id=KNOWN_ENTRY_ID&log_id=KNOWN_LOG_ID&nonce=TEST_NONCE' https://yourdomain.com/wp-admin/admin-ajax.php` 3. Use tools like Wireshark or tcpdump to capture and analyze HTTP POST requests to the AJAX endpoint for suspicious activity. These methods help detect attempts to exploit the missing authorization in the workflow trigger. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Bit Form β Contact Form Plugin to a version later than 2.21.6 where the vulnerability is fixed. 2. If an update is not immediately possible, restrict access to the AJAX endpoint by implementing firewall rules or security plugins to block unauthenticated requests to `admin-ajax.php` with the `bitforms_trigger_workflow` action. 3. Monitor logs for suspicious activity related to this AJAX action and revoke or rotate any exposed entry or log IDs. 4. Consider disabling or limiting integrations triggered by workflows until the patch is applied. These steps reduce the risk of unauthorized workflow execution until a proper fix is deployed. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.