CVE-2024-7777: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) Arbitrary File Read And Deletion
First published: Tue Aug 20 2024(Updated: )
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in multiple functions in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Contact Form Builder | >=2.0.0<2.13.10 |
Remedy
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L829
Remedy
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L852
Remedy
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L875
Remedy
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L898
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4deb128d-0163-4a8e-9591-87352f74c3ef?source=cve
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L829
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L852
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L875
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.3/includes/Admin/AdminAjax.php#L898
Frequently Asked Questions
What is the severity of CVE-2024-7777?
CVE-2024-7777 is considered a high severity vulnerability due to arbitrary file read and deletion risks.
How do I fix CVE-2024-7777?
To fix CVE-2024-7777, update the Bitapps Contact Form Builder plugin to version 2.13.10 or later.
What versions of the Bitapps Contact Form Builder plugin are affected by CVE-2024-7777?
CVE-2024-7777 affects Bitapps Contact Form Builder plugin versions from 2.0.0 to 2.13.9.
What are the potential risks of CVE-2024-7777?
The risks of CVE-2024-7777 include unauthorized access to sensitive files and potential data loss.
Is CVE-2024-7777 related to WordPress?
Yes, CVE-2024-7777 is a vulnerability in a WordPress plugin specifically designed for contact form management.
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/bitapps
- canonical/contact form builder
- version/contact form builder/2.0.0