Bit Form WordPress Plugin Arbitrary File Deletion Vulnerability
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
Quick answer
Bit Form should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Bit Form up to and including 3.1.1
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Bit Form is affected by CVE-2026-14372. Vulnerable versions up to and including 3.1.1 can allow subscriber-level users to delete arbitrary files, which can become remote code execution if critical WordPress files such as wp-config.php are removed.
- Inventory all WordPress sites using Bit Form.
- Update Bit Form beyond 3.1.1 as soon as a fixed version is available.
- Disable the plugin until patched if low-privilege accounts can access the affected form or file workflow.
- Block direct access to the vulnerable delete action with a WAF or server rule during remediation.
- Review filesystem backups and file integrity monitoring for unexpected deletions under the WordPress root.
- Restore any missing WordPress core, plugin, theme, or configuration files from a trusted backup.
- Harden file permissions so the web process cannot delete files outside required upload/cache directories.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Bit Form is not running version 3.1.1 or older.
- Test the affected delete workflow as a subscriber in staging and confirm arbitrary paths are rejected.
- Run a WordPress file integrity check and confirm no critical files are missing.
- Confirm legitimate file upload or form cleanup features still work after remediation.
- Run a Fixnx scan and review public WordPress exposure after restoring and patching.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-14372?
Bit Form versions listed as affected should be reviewed: Bit Form up to and including 3.1.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
