Plataforma
wordpress
Componente
bit-form
Corregido en
2.17.5
A Server-Side Request Forgery (SSRF) vulnerability exists in the Contact Form by Bit Form plugin for WordPress, affecting versions up to and including 2.17.4. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the plugin's Webhooks integration. While the CVSS score is LOW, successful exploitation could expose internal services and sensitive data.
The SSRF vulnerability in Contact Form by Bit Form allows an authenticated administrator to craft malicious web requests originating from the WordPress application. This means an attacker could potentially query internal services that are not directly accessible from the outside world, such as internal APIs, databases, or even other internal web applications. The attacker could then extract sensitive information or potentially modify data within these internal systems. In a Multisite environment, the vulnerability could be exploited across multiple sites within the same WordPress installation, significantly expanding the potential impact. While the CVSS score is low, the ability to bypass internal network restrictions and access sensitive data warrants immediate attention.
This vulnerability was publicly disclosed on 2025-01-25. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised, especially in environments with extensive internal services.
WordPress websites utilizing the Contact Form by Bit Form plugin, particularly those with administrator accounts and internal services accessible via HTTP or HTTPS. Shared hosting environments where multiple WordPress sites share the same server infrastructure are also at increased risk, as a compromised administrator account on one site could potentially be used to exploit the vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'Webhook_url' /var/www/html/wp-content/plugins/contact-form-by-bit-form/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/contact-form-by-bit-form/webhook.php | grep -i 'server:'disclosure
Estado del Exploit
EPSS
0.34% (57% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-13450 is to upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later, which contains the fix. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider temporarily disabling the Webhooks integration feature within the plugin's settings. As a further precaution, implement a Web Application Firewall (WAF) with rules to restrict outbound requests from the WordPress application to only trusted domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s Webhooks functionality.
Actualice el plugin Contact Form by Bit Form a la última versión disponible. La vulnerabilidad de Server-Side Request Forgery (SSRF) se ha corregido en versiones posteriores a la 2.17.4. Esto evitará que atacantes autenticados con privilegios de administrador realicen solicitudes web a ubicaciones arbitrarias desde su aplicación web.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-13450 is a Server-Side Request Forgery vulnerability affecting the Contact Form by Bit Form WordPress plugin, allowing authenticated admins to make arbitrary web requests.
You are affected if you are using the Contact Form by Bit Form plugin in WordPress versions 2.17.4 or earlier. Upgrade to 2.18.0 or later to mitigate the risk.
Upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later. Temporarily disable the Webhooks integration as a workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability remains a potential risk and should be addressed promptly.
Refer to the official Bit Form website and WordPress plugin repository for updates and security advisories related to CVE-2024-13450.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.