CVE-2025-6679
Published: 15 August 2025
Summary
CVE-2025-6679 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-6679 is a critical vulnerability in the Bit Form builder plugin for WordPress, affecting all versions up to and including 2.20.4. It stems from missing file type validation, enabling arbitrary file uploads to the affected site's server. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites for initial access.
Unauthenticated attackers can exploit this vulnerability by uploading arbitrary files, which may lead to remote code execution on the server. For successful exploitation, the PRO version of the plugin must be installed and activated, and a form containing an advanced file upload element must be published on the site.
Advisories and patch details are available in referenced sources, including a WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3343461%40bit-form%2Ftrunk&old=3336733%40bit-form%2Ftrunk&sfp_email=&sfph_mail=), the plugin's official page (https://wordpress.org/plugins/bit-form/), and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634?source=cve), which outline remediation steps such as updating the plugin beyond version 2.20.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24991
Vulnerability details
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the…
more
affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables T1190 exploitation for initial access and RCE; uploaded files (e.g., PHP) facilitate T1505.003 web shell deployment.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying and patching the vulnerable Bit Form plugin versions up to 2.20.4.
Enforces validation of file uploads in forms, addressing the missing file type validation that enables arbitrary file uploads.
Scans uploaded files for malicious code, detecting or blocking dangerous files that could lead to RCE even if validation fails.