CVE-2026-14372 Overview
CVE-2026-14372 is an arbitrary file deletion vulnerability in the Bit Form WordPress plugin, marketed as a contact form, payment form, multi-step form, calculator, and custom form builder. The flaw exists in the deleteFiles function across all versions up to and including 3.1.1. Insufficient file path validation allows authenticated users with subscriber-level access or higher to delete arbitrary files on the underlying server. Deleting sensitive files such as wp-config.php can trigger site reinitialization workflows that attackers pivot into remote code execution. The issue is tracked under CWE-22 (Path Traversal).
Critical Impact
Any authenticated WordPress user, including low-privilege subscribers, can delete arbitrary files on the server and escalate to full site compromise and remote code execution.
Affected Products
- Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress
- All versions up to and including 3.1.1
- Fixed in version 3.1.2
Discovery Timeline
- 2026-07-09 - CVE CVE-2026-14372 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-14372
Vulnerability Analysis
The Bit Form plugin exposes a file deletion routine used to remove files attached to form submissions. The deleteFiles function does not validate that supplied file paths remain within the plugin's expected upload directory. Attackers can therefore inject traversal sequences such as ../ to reference arbitrary files on the WordPress host.
Exploitation requires authentication, but the required privilege level is subscriber, which most WordPress sites grant automatically through open registration. Once inside, an attacker can call the vulnerable AJAX endpoint and pass a crafted path pointing to wp-config.php or other critical files.
Deleting wp-config.php forces WordPress into its installation state, allowing an attacker to reconfigure the database connection to a host they control. That reconfiguration path is a known technique for turning arbitrary file deletion into remote code execution on WordPress deployments.
Root Cause
The root cause is missing canonicalization and allow-list validation of the file path parameter processed by deleteFiles. The plugin trusts the supplied path and passes it to filesystem removal calls without ensuring it is confined to the intended upload directory. Relevant sink points are visible in FileHandler.php line 129 and FormManager.php line 1039.
Attack Vector
The attacker authenticates to WordPress with any account of subscriber role or higher. They then issue a request to the plugin's frontend AJAX handler (see FrontendAjax.php line 87) with a file path parameter containing traversal sequences that resolve outside the upload directory. The vulnerable code deletes the referenced file, enabling denial of service or a follow-on remote code execution chain when configuration files are removed.
No public exploit code or proof-of-concept has been published. See the Wordfence advisory and WordPress changeset 3598554 for the applied fix.
Detection Methods for CVE-2026-14372
Indicators of Compromise
- Unexpected deletion of WordPress core files such as wp-config.php, .htaccess, or index.php.
- WordPress site suddenly redirecting to the installation wizard at /wp-admin/setup-config.php.
- POST requests to the Bit Form AJAX endpoint containing ..%2F or ../ sequences in file path parameters.
- New subscriber-level user registrations closely followed by Bit Form AJAX activity.
Detection Strategies
- Inspect web server access logs for admin-ajax.php requests whose Bit Form action parameters carry directory traversal patterns.
- Correlate authenticated subscriber sessions with file system delete events on the WordPress installation directory.
- Alert on WordPress installations transitioning to setup mode outside of planned maintenance windows.
Monitoring Recommendations
- Enable file integrity monitoring on wp-config.php, the WordPress root, and the wp-content/plugins/bit-form/ directory.
- Forward WordPress and web server logs to a centralized log platform and retain them for at least 90 days.
- Track plugin inventory to surface any WordPress site still running Bit Form 3.1.1 or earlier.
How to Mitigate CVE-2026-14372
Immediate Actions Required
- Update the Bit Form plugin to version 3.1.2 or later on every WordPress site in the environment.
- Audit user accounts and remove or downgrade untrusted subscriber-level accounts created during the exposure window.
- Verify that wp-config.php and other core files are intact and restore from backup if tampering is detected.
Patch Information
The vendor released Bit Form 3.1.2, which adds path validation to the deleteFiles routine. Review the code changes in WordPress changeset 3598554 and the 3.1.1 to 3.1.2 diff.
Workarounds
- Disable the Bit Form plugin until the patched version can be deployed.
- Disable open user registration by unchecking the Membership option in WordPress General Settings.
- Restrict access to admin-ajax.php Bit Form actions using a web application firewall rule blocking traversal patterns in file path parameters.
# Update Bit Form plugin using WP-CLI
wp plugin update bit-form --version=3.1.2
# Verify the installed version
wp plugin get bit-form --field=version
# Disable open registration if not required
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

