{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/bit-form/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-14372"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator \u0026 Custom Form Builder plugin for WordPress (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","web","rce","file-deletion"],"_cs_type":"advisory","_cs_vendors":["Bit Form"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-14372, has been identified in The Bit Form - Contact Form, Payment Forms, Multi Step Forms, Calculator \u0026amp; Custom Form Builder plugin for WordPress, affecting all versions up to and including 3.1.1. This flaw stems from insufficient file path validation within the plugin's \u003ccode\u003edeleteFiles\u003c/code\u003e function, enabling authenticated attackers with at least subscriber-level privileges to perform arbitrary file deletion on the host server. The potential impact of this vulnerability is severe, as the deletion of sensitive files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, can easily pave the way for remote code execution (RCE) by disrupting the WordPress installation's integrity and allowing for potential re-installation hijacking or exploitation of other vulnerabilities in the compromised state. Organizations using this plugin should prioritize patching to mitigate the risk of server compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains valid credentials for a WordPress user account with subscriber-level access or higher on a website running the vulnerable Bit Form plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Request\u003c/strong\u003e: The attacker crafts and sends a malicious HTTP POST request to a specific endpoint within the WordPress installation, targeting the vulnerable \u003ccode\u003edeleteFiles\u003c/code\u003e function of The Bit Form plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Traversal Insertion\u003c/strong\u003e: The crafted request includes path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\u003c/code\u003e) embedded within the parameter designated for specifying the file path to be deleted.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Deletion\u003c/strong\u003e: Due to inadequate file path validation by the \u003ccode\u003edeleteFiles\u003c/code\u003e function, the plugin processes the malformed request and proceeds to delete an arbitrary file located outside its intended directory, such as \u003ccode\u003ewp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWordPress Instability\u003c/strong\u003e: The deletion of a critical file like \u003ccode\u003ewp-config.php\u003c/code\u003e renders the WordPress installation inoperable or reverts it to an unconfigured state, often triggering the initial setup/re-installation process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The attacker leverages the now unconfigured WordPress state, either by completing a malicious re-installation or exploiting other vulnerabilities that become feasible due to the missing configuration file, to achieve Remote Code Execution on the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14372 can lead to severe consequences for affected WordPress websites. Authenticated attackers can delete critical system files, including but not limited to \u003ccode\u003ewp-config.php\u003c/code\u003e, which stores database credentials and other vital configuration settings. This can immediately lead to denial of service, data corruption, and potentially full website defacement or compromise. If \u003ccode\u003ewp-config.php\u003c/code\u003e is deleted, attackers can often trigger a re-installation of WordPress and gain administrative control, ultimately leading to remote code execution on the server and complete takeover of the website and hosting environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14372 by updating The Bit Form plugin to a patched version immediately.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for any suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e or other plugin endpoints containing \u003ccode\u003e../\u003c/code\u003e or \u003ccode\u003e..\\\u003c/code\u003e sequences, especially in conjunction with parameters related to file deletion functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T11:19:20Z","date_published":"2026-07-09T11:19:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-bitform-arbitrary-file-deletion/","summary":"The Bit Form WordPress plugin (versions up to 3.1.1) is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access to delete critical server files like wp-config.php, potentially leading to remote code execution.","title":"CVE-2026-14372 - The Bit Form WordPress Plugin Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-07-bitform-arbitrary-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Bit Form","version":"https://jsonfeed.org/version/1.1"}