CVE-2025-14901
📋 TL;DR
This vulnerability allows unauthenticated attackers to replay form workflow executions in the Bit Form WordPress plugin. Attackers can trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms. All WordPress sites using vulnerable versions of the Bit Form plugin are affected.
💻 Affected Systems
- Bit Form - Contact Form Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could trigger spam campaigns, flood external systems with requests, execute unauthorized actions in connected CRMs/automation platforms, and potentially chain with other vulnerabilities for further compromise.
Likely Case
Spam email campaigns, webhook flooding, unauthorized data submissions to connected services, and disruption of form-related workflows.
If Mitigated
Limited to form workflow replay with no data exfiltration or system compromise if proper input validation and rate limiting are in place.
🎯 Exploit Status
Exploitation requires obtaining entry ID and log IDs from legitimate form submissions, which are typically exposed in form submission responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.21.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Bit Form - Contact Form Plugin'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.21.7+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or block access to the vulnerable bitforms_trigger_workflow AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_bitforms_trigger_workflow', 'triggerWorkFlow');
Add to .htaccess for Apache: RewriteCond %{QUERY_STRING} action=bitforms_trigger_workflow [NC] RewriteRule .* - [F,L]
🧯 If You Can't Patch
- Disable the Bit Form plugin entirely until patched
- Implement WAF rules to block requests to wp-admin/admin-ajax.php with action=bitforms_trigger_workflow
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Bit Form version. If version is 2.21.6 or lower, you are vulnerable.Check Version:
wp plugin list --name='bit-form' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify Bit Form plugin version is 2.21.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=bitforms_trigger_workflow from unauthenticated users
- Spike in form submission activity without corresponding page views
Network Indicators:
- Unusual outbound connections to webhook URLs, email servers, or CRM APIs triggered by form submissions
SIEM Query:
source="web_server_logs" url="*/wp-admin/admin-ajax.php*" action="bitforms_trigger_workflow" user="-" | stats count by src_ip🔗 References
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146
- https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429172%40bit-form%2Ftrunk&old=3420966%40bit-form%2Ftrunk&sfp_email=&sfph_mail=#file827
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve
