Platform
wordpress
Component
bit-form
Fixed in
2.17.5
A Server-Side Request Forgery (SSRF) vulnerability exists in the Contact Form by Bit Form plugin for WordPress, affecting versions up to and including 2.17.4. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the plugin's Webhooks integration. While the CVSS score is LOW, successful exploitation could expose internal services and sensitive data.
The SSRF vulnerability in Contact Form by Bit Form allows an authenticated administrator to craft malicious web requests originating from the WordPress application. This means an attacker could potentially query internal services that are not directly accessible from the outside world, such as internal APIs, databases, or even other internal web applications. The attacker could then extract sensitive information or potentially modify data within these internal systems. In a Multisite environment, the vulnerability could be exploited across multiple sites within the same WordPress installation, significantly expanding the potential impact. While the CVSS score is low, the ability to bypass internal network restrictions and access sensitive data warrants immediate attention.
This vulnerability was publicly disclosed on 2025-01-25. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised, especially in environments with extensive internal services.
Exploit Status
EPSS
0.34% (57% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13450 is to upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later, which contains the fix. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider temporarily disabling the Webhooks integration feature within the plugin's settings. As a further precaution, implement a Web Application Firewall (WAF) with rules to restrict outbound requests from the WordPress application to only trusted domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s Webhooks functionality.
Update the Contact Form by Bit Form plugin to the latest available version. The Server-Side Request Forgery (SSRF) vulnerability has been fixed in versions later than 2.17.4. This will prevent authenticated attackers with administrator privileges from making web requests to arbitrary locations from their web application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13450 is a Server-Side Request Forgery vulnerability affecting the Contact Form by Bit Form WordPress plugin, allowing authenticated admins to make arbitrary web requests.
You are affected if you are using the Contact Form by Bit Form plugin in WordPress versions 2.17.4 or earlier. Upgrade to 2.18.0 or later to mitigate the risk.
Upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later. Temporarily disable the Webhooks integration as a workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability remains a potential risk and should be addressed promptly.
Refer to the official Bit Form website and WordPress plugin repository for updates and security advisories related to CVE-2024-13450.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.