CVE-2026-14372
Last modified
CVE-2026-14372 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config)..
Description
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| bitpressadmin | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | <= 3.1.1 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14372?
How severe is CVE-2026-14372?
How do I fix CVE-2026-14372?
Related CVEs from 2026
- CVE-2026-14358Improper neutralization of input during web page generation …6.1
- CVE-2026-1436Improper Access Control (IDOR) in the Graylog API, version 2…6.5
- CVE-2026-14361The consul-template library before version 0.42.1 is vulnera…4.7
- CVE-2026-14362HashiCorp memberlist before version 0.6.0 is vulnerable to a…4.9
- CVE-2026-14363Improper neutralization of special elements used in an SQL c…9.8
- CVE-2026-1437Reflected Cross-Site Scripting (XSS) vulnerability in the Gr…6.1
- CVE-2026-14373HashiCorp Nomad and Nomad Enterprise did not enforce the all…7.7
- CVE-2026-1438Reflected Cross-Site Scripting (XSS) vulnerability in the Gr…6.1
- CVE-2026-14380DBI versions before 1.650 for Perl are vulnerable to code in…8.8
- CVE-2026-14381Incorrect security UI in WebAppInstalls in Google Chrome pri…6.5
- CVE-2026-14382Insufficient validation of untrusted input in ANGLE in Googl…9.6
- CVE-2026-14383Inappropriate implementation in V8 in Google Chrome prior to…8.8
Are you affected by CVE-2026-14372?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
