Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 21 known issues Latest disclosed Jan 28, 2026

Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Vulnerabilities

Q: How many Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder vulnerabilities have patch guidance?

21 of 21 tracked Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder records include a published patch path.

Review known vulnerability records for the WordPress plugin Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder (`bit-form`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25418, CVE-2025-14901 and CVE-2025-6679, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Feb 26, 2026

Related Security Guides

Use these guides while reviewing Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is bit-form before acting on any CVE from this cluster.

2. Sort by Severity

Start with 10 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

21 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2025-6679 Critical

Remote Code Execution remediation for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

Affected range: Versions up to 2.20.3. Fixed version: 2.20.4.

CVE-2022-4774 Critical

Remote Code Execution remediation for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

Affected range: Versions up to 1.8.1. Fixed version: 1.9.

CVE-2024-7777 Critical

Remote Code Execution remediation for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

Affected range: 2.0 through 2.13.9. Fixed version: 2.13.10.

CVE-2024-7782 High

Remote Code Execution remediation for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

Affected range: 2.0 through 2.13.4. Fixed version: 2.13.5.

Priority CVE Quick Links

Fast paths into Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2025-6679 Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Uploa...	Remote Code Execution	Versions up to 2.20.3	2.20.4	CVSS 9.8
CVE-2022-4774 Bit Form <= 1.8.1 - Unauthenticated Arbitrary File Upload to Remote Code Execution	Remote Code Execution	Versions up to 1.8.1	1.9	CVSS 9.8
CVE-2024-7777 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact...	Remote Code Execution	2.0 through 2.13.9	2.13.10	CVSS 9.0
CVE-2024-7782 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact...	Remote Code Execution	2.0 through 2.13.4	2.13.5	CVSS 8.7
CVE-2025-30885 Bit Form – Contact Form Plugin <= 2.18.0 - Open Redirect	Vulnerability	Versions up to 2.18.0	2.18.1	CVSS 7.2
CVE-2024-47319 Bit Form – Contact Form Plugin <= 2.13.10 - Authenticated (Administrator+) Arbitrary...	Remote Code Execution	Versions up to 2.13.10	2.13.11	CVSS 7.2
CVE-2024-47301 Bit Form – Contact Form Plugin <= 2.13.10 - Unauthenticated Stored Cross-Site Script...	Stored Cross-Site Scripting	Versions up to 2.13.10	2.13.11	CVSS 7.2
CVE-2024-7702 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact...	SQL Injection	2.0 through 2.13.9	2.13.10	CVSS 7.2

CVE-2025-6679 Critical 2.20.4

CVE-2025-6679 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Remote Code Execution

Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload

CVE-2022-4774 Critical 1.9

CVE-2022-4774 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Remote Code Execution

Bit Form <= 1.8.1 - Unauthenticated Arbitrary File Upload to Remote Code Execution

CVE-2024-7777 Critical 2.13.10

CVE-2024-7777 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Remote Code Execution

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) Arbitrary File Read And Deletion

CVE-2024-7782 High 2.13.5

CVE-2024-7782 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Remote Code Execution

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.4 - Authenticater (Administrator+) Arbitrary File Deletion

CVE-2025-30885 High 2.18.1

CVE-2025-30885 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Vulnerability

Bit Form – Contact Form Plugin <= 2.18.0 - Open Redirect

CVE-2024-47319 High 2.13.11

CVE-2024-47319 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Remote Code Execution

Bit Form – Contact Form Plugin <= 2.13.10 - Authenticated (Administrator+) Arbitrary File Upload

CVE-2024-47301 High 2.13.11

CVE-2024-47301 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder Stored Cross-Site Scripting

Bit Form – Contact Form Plugin <= 2.13.10 - Unauthenticated Stored Cross-Site Scripting

CVE-2024-7702 High 2.13.10

CVE-2024-7702 Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder SQL Injection

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection via getLogHistory Function

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

21 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

3 critical and 7 high severity findings.

Recent CVEs

CVE-2026-25418, CVE-2025-14901 and CVE-2025-6679

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-25418 Medium Patch path listed

CVE-2026-25418: Bit Form <= 2.21.10 - Authenticated (Administrator+) SQL Injection

The Bit Form plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.21.10 due to insufficient escaping on the user supplied parameter and lack of sufficient...

Published

Jan 28, 2026

Patch Status

2.21.11

Review CVE-2026-25418 affected versions

CVE-2025-14901 Medium Patch path listed

CVE-2025-14901: Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay

The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, a...

Published

Jan 06, 2026

Patch Status

2.21.7

Review CVE-2025-14901 affected versions

CVE-2025-6679 Critical Patch path listed

CVE-2025-6679: Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for...

Published

Aug 14, 2025

Patch Status

2.20.4

Review CVE-2025-6679 affected versions

Known Vulnerabilities

Reports for Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-25418

CVE-2026-25418: Bit Form <= 2.21.10 - Authenticated (Administrator+) SQL Injection

The Bit Form plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.21.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers,...

Published

Jan 28, 2026

Patched Release

2.21.11

Affected Versions

Versions up to 2.21.10

Next Step

Update to 2.21.11 or newer if supported.

Review CVE-2026-25418 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-14901

CVE-2025-14901: Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay

The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the secu...

Published

Jan 06, 2026

Patched Release

2.21.7

Affected Versions

Versions up to 2.21.6

Next Step

Update to 2.21.7 or newer if supported.

Review CVE-2025-14901 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2025-6679

CVE-2025-6679: Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which m...

Published

Aug 14, 2025

Patched Release

2.20.4

Affected Versions

Versions up to 2.20.3

Next Step

Update to 2.20.4 or newer if supported.

Review CVE-2025-6679 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-13451

CVE-2024-13451: Contact Form by Bit Form <= 2.17.5 - Unauthenticated Sensitive Information Exposure

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient direc...

Published

Jul 01, 2025

Patched Release

2.17.6

Affected Versions

Versions up to 2.17.5

Next Step

Update to 2.17.6 or newer if supported.

Review CVE-2024-13451 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-2580

CVE-2025-2580: Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Au...

Published

Apr 24, 2025

Patched Release

2.18.4

Affected Versions

Versions up to 2.18.3

Next Step

Update to 2.18.4 or newer if supported.

Review CVE-2025-2580 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-30885

CVE-2025-30885: Bit Form – Contact Form Plugin <= 2.18.0 - Open Redirect

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.18.0. This is due to insufficient validation on a redirect url....

Published

Mar 27, 2025

Patched Release

2.18.1

Affected Versions

Versions up to 2.18.0

Next Step

Update to 2.18.1 or newer if supported.

Review CVE-2025-30885 fixed version details Open CVE Reference

Plugin Low Patched: Yes CVE-2024-13450

CVE-2024-13450: Contact Form by Bit Form <= 2.17.4 - Authenticated (Administrator+) Server-Side Request Forgery

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it p...

Published

Jan 24, 2025

Patched Release

2.17.5

Affected Versions

Versions up to 2.17.4

Next Step

Update to 2.17.5 or newer if supported.

Review CVE-2024-13450 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12190

CVE-2024-12190: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.17.3 - Missing Authorization to Authenticated (Subscriber+) Form Submission Disclosure

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions...

Published

Dec 24, 2024

Patched Release

2.17.4

Affected Versions

Versions up to 2.17.3

Next Step

Update to 2.17.4 or newer if supported.

Review CVE-2024-12190 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9507

CVE-2024-9507: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.15.2 - Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.15.2 due to improper input validation within the iconUploa...

Published

Oct 10, 2024

Patched Release

2.15.3

Affected Versions

Versions up to 2.15.2

Next Step

Update to 2.15.3 or newer if supported.

Review CVE-2024-9507 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-47335

CVE-2024-47335: Bit Form – Contact Form Plugin <= 2.13.11 - Authenticated (Administrator+) SQL Injection

The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.13.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for au...

Published

Sep 26, 2024

Patched Release

2.13.12

Affected Versions

Versions up to 2.13.11

Next Step

Update to 2.13.12 or newer if supported.

Review CVE-2024-47335 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-47319

CVE-2024-47319: Bit Form – Contact Form Plugin <= 2.13.10 - Authenticated (Administrator+) Arbitrary File Upload

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.13.10. This makes i...

Published

Sep 25, 2024

Patched Release

2.13.11

Affected Versions

Versions up to 2.13.10

Next Step

Update to 2.13.11 or newer if supported.

Review CVE-2024-47319 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-47301

CVE-2024-47301: Bit Form – Contact Form Plugin <= 2.13.10 - Unauthenticated Stored Cross-Site Scripting

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.13.10 due to insufficient input sanitization and o...

Published

Sep 24, 2024

Patched Release

2.13.11

Affected Versions

Versions up to 2.13.10

Next Step

Update to 2.13.11 or newer if supported.

Review CVE-2024-47301 fixed version details Open CVE Reference