<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bit Form - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/bit-form/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 11:19:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/bit-form/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14372 - The Bit Form WordPress Plugin Arbitrary File Deletion</title><link>https://feed.craftedsignal.io/briefs/2026-07-bitform-arbitrary-file-deletion/</link><pubDate>Thu, 09 Jul 2026 11:19:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-bitform-arbitrary-file-deletion/</guid><description>The Bit Form WordPress plugin (versions up to 3.1.1) is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access to delete critical server files like wp-config.php, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-14372, has been identified in The Bit Form - Contact Form, Payment Forms, Multi Step Forms, Calculator &amp; Custom Form Builder plugin for WordPress, affecting all versions up to and including 3.1.1. This flaw stems from insufficient file path validation within the plugin's <code>deleteFiles</code> function, enabling authenticated attackers with at least subscriber-level privileges to perform arbitrary file deletion on the host server. The potential impact of this vulnerability is severe, as the deletion of sensitive files, such as <code>wp-config.php</code>, can easily pave the way for remote code execution (RCE) by disrupting the WordPress installation's integrity and allowing for potential re-installation hijacking or exploitation of other vulnerabilities in the compromised state. Organizations using this plugin should prioritize patching to mitigate the risk of server compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker obtains valid credentials for a WordPress user account with subscriber-level access or higher on a website running the vulnerable Bit Form plugin.</li>
<li><strong>Exploitation Request</strong>: The attacker crafts and sends a malicious HTTP POST request to a specific endpoint within the WordPress installation, targeting the vulnerable <code>deleteFiles</code> function of The Bit Form plugin.</li>
<li><strong>Path Traversal Insertion</strong>: The crafted request includes path traversal sequences (e.g., <code>../</code>, <code>..\</code>) embedded within the parameter designated for specifying the file path to be deleted.</li>
<li><strong>Arbitrary File Deletion</strong>: Due to inadequate file path validation by the <code>deleteFiles</code> function, the plugin processes the malformed request and proceeds to delete an arbitrary file located outside its intended directory, such as <code>wp-config.php</code>.</li>
<li><strong>WordPress Instability</strong>: The deletion of a critical file like <code>wp-config.php</code> renders the WordPress installation inoperable or reverts it to an unconfigured state, often triggering the initial setup/re-installation process.</li>
<li><strong>Remote Code Execution</strong>: The attacker leverages the now unconfigured WordPress state, either by completing a malicious re-installation or exploiting other vulnerabilities that become feasible due to the missing configuration file, to achieve Remote Code Execution on the underlying server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-14372 can lead to severe consequences for affected WordPress websites. Authenticated attackers can delete critical system files, including but not limited to <code>wp-config.php</code>, which stores database credentials and other vital configuration settings. This can immediately lead to denial of service, data corruption, and potentially full website defacement or compromise. If <code>wp-config.php</code> is deleted, attackers can often trigger a re-installation of WordPress and gain administrative control, ultimately leading to remote code execution on the server and complete takeover of the website and hosting environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-14372 by updating The Bit Form plugin to a patched version immediately.</li>
<li>Review web server access logs for any suspicious POST requests to <code>/wp-admin/admin-ajax.php</code> or other plugin endpoints containing <code>../</code> or <code>..\</code> sequences, especially in conjunction with parameters related to file deletion functions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>vulnerability</category><category>web</category><category>rce</category><category>file-deletion</category></item></channel></rss>