CVE-2025-14901

Name of the Vulnerable Software and Affected Versions Bit Form – Contact Form Plugin versions prior to 2.21.7

Description The Bit Form – Contact Form Plugin for WordPress has a flaw allowing unauthorized workflow execution. The triggerWorkFlow function lacks proper authorization, specifically in its nonce verification. The security check only prevents requests when both nonce verification fails and the user is logged in. This allows unauthenticated attackers to replay form workflow executions and activate configured integrations like webhooks, email notifications, CRM integrations, and automation platforms. Attackers need to obtain the entry ID and log IDs from a legitimate form submission response to exploit this issue via the bitforms trigger workflow AJAX action.

Recommendations Update to version 2.21.7 or later.