Introduction
A single vulnerable WordPress plugin can provide attackers with direct access to thousands of business websites. In August 2025, a critical flaw in the Bit Form builder plugin for WordPress (CVE-2025-6679) exposed a large number of sites to remote code execution by unauthenticated attackers. This post summarizes the technical details, affected versions, and vendor security history for security professionals assessing their exposure.
Bit Form is a widely used WordPress form builder plugin developed by CRM Perks. It offers both free and PRO versions, with over 10,000 active installations. The plugin is popular for its advanced form-building capabilities, including file uploads and integrations with other WordPress tools. Its broad adoption means vulnerabilities can have significant impact across the WordPress ecosystem.
Technical Information
CVE-2025-6679 is a critical arbitrary file upload vulnerability in the Bit Form builder plugin for WordPress, classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability affects all versions up to and including 2.20.4.
The flaw is present in the advanced file upload functionality provided by the PRO version of Bit Form. When a WordPress site has both the free and PRO versions installed and activated, and publishes a form containing an advanced file upload element, the plugin fails to enforce proper file type validation. As a result, unauthenticated attackers can upload arbitrary files—including executable PHP scripts—to the server.
The attack flow is as follows:
- The attacker locates a WordPress site running Bit Form (<= 2.20.4) with both free and PRO versions active.
- The attacker finds a published form with an advanced file upload element.
- The attacker submits a crafted request containing a malicious file (such as a PHP web shell) via the form.
- Due to missing or insufficient server-side validation, the file is accepted and written to the server (commonly in wp-content/uploads).
- The attacker accesses the uploaded file directly via the web, triggering remote code execution with the privileges of the web server process.
The root cause is the absence of robust server-side file type and content validation in the file upload handler for advanced file uploads. This is a recurring issue for this plugin family, as seen in prior CVEs affecting earlier versions. No public code snippets are available for this specific CVE, but related advisories indicate the vulnerable logic is in the file upload processing path for advanced elements in the PRO version.
Affected Systems and Versions
- Product: Bit Form builder plugin for WordPress
- Affected versions: All versions up to and including 2.20.4
- Vulnerable configuration: Both free and PRO versions installed and activated, with at least one published form containing an advanced file upload element
Vendor Security History
CRM Perks, the developer of Bit Form, has a history of recurring file upload vulnerabilities in this and related plugins:
- CVE-2024-6123: Arbitrary file upload in Bit Form up to 2.13.3 (iconUpload function)
- CVE-2024-7782: Arbitrary file deletion in Bit Form (could lead to RCE)
- Arbitrary file upload in Bit Form <= 1.8.1 (2024-01-22)
- Arbitrary file upload in Bit Form < 1.9 (2023-05-15)
- Authenticated file upload in Bit Form PRO <= 2.6.4
The vendor typically releases patches within a week of public disclosure but has not demonstrated consistent resolution of the underlying architectural flaws. Security advisories and changelogs often mention file upload security enhancements, but similar vulnerabilities have reappeared in subsequent versions.
References
- NVD entry for CVE-2025-6679
- VulDB entry
- WordPress plugin page
- Wordfence advisory
- GitHub advisory for earlier Bit Form file upload issue
- Wordfence advisory for Bit Form <= 1.8.1
- Wordfence advisory for Bit Form 2.12.2
- Wordfence advisory for Bit Form arbitrary file deletion
- Wordfence advisory for Bit Form PRO <= 2.6.4
- CWE-434: Unrestricted Upload of File with Dangerous Type