{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25418", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:26.262Z", "datePublished": "2026-02-19T08:27:06.644Z", "dateUpdated": "2026-04-28T16:14:58.487Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bit-form", "product": "Bit Form", "vendor": "Bit Apps", "versions": [{"changes": [{"at": "2.21.11", "status": "unaffected"}], "lessThanOrEqual": "2.21.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:09.603Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Apps Bit Form bit-form allows SQL Injection.<p>This issue affects Bit Form: from n/a through <= 2.21.10.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Apps Bit Form bit-form allows SQL Injection.This issue affects Bit Form: from n/a through <= 2.21.10."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.487Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bit-form/vulnerability/wordpress-bit-form-plugin-2-21-10-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Bit Form plugin <= 2.21.10 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T18:34:14.212704Z", "id": "CVE-2026-25418", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:24:59.625Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T18:34:14.212704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T18:33:29.376Z"}}], "cna": {"title": "WordPress Bit Form plugin <= 2.21.10 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "affected": [{"vendor": "bitpressadmin", "product": "Bit Form", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.21.10"}], "packageName": "bit-form", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:25:53.574Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bit-form/vulnerability/wordpress-bit-form-plugin-2-21-10-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bitpressadmin Bit Form bit-form allows SQL Injection.This issue affects Bit Form: from n/a through <= 2.21.10.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bitpressadmin Bit Form bit-form allows SQL Injection.<p>This issue affects Bit Form: from n/a through <= 2.21.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:27:06.644Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25418", "state": "PUBLISHED", "dateUpdated": "2026-02-19T18:36:02.883Z", "dateReserved": "2026-02-02T12:53:26.262Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:06.644Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Apps Bit Form bit-form allows SQL Injection.This issue affects Bit Form: from n/a through <= 2.21.10."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando SQL ('inyecci\u00f3n SQL') en bitpressadmin Bit Form bit-form permite inyecci\u00f3n SQL. Este problema afecta a Bit Form: desde n/a hasta &lt;= 2.21.10."}], "id": "CVE-2026-25418", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:23.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bit-form/vulnerability/wordpress-bit-form-plugin-2-21-10-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Bit Form", "source": "cna", "vendor": "bitpressadmin"}, "product": "bit_form", "vendor": "bitpressadmin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:14:38.992037+00:00", "value": {"mitigation_remediation": ["Upgrade the Bit Form plugin to a version newer than 2.21.10, which contains the fix for the SQL injection issue.", "If an upgrade is not immediately possible, disable or remove the plugin from the WordPress installation to eliminate the attack surface.", "Deploy a Web Application Firewall rule or intrusion detection system that flags unusual SQL-like payloads targeting the plugin\u2019s input fields, thereby reducing the risk of successful exploitation."], "summary": {"action": "Apply Patch", "impact": "SQL Injection leading to potential data exposure or modification"}, "threat_synthesis": {"affected_systems": "The Bit App\u2019s Bit Form plugin is affected in all releases up to and including version 2.21.10. Systems running WordPress with any of these plugin versions are vulnerable. Administrators should verify the installed plugin version and upgrade if it falls within the affected range.", "description_and_impact": "An SQL Injection flaw exists in the Bit Form plugin for WordPress, where user input is not properly sanitized before being embedded in an SQL statement. This vulnerability can allow an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data extraction, alteration, or loss of integrity. The weakness is a classic example of improper neutralization of special elements used in an SQL command, classified under CWE-89, which compromises the confidentiality, integrity, or availability of the database and possibly the broader hosting environment.", "risk_and_exploitability": "The CVSS score of 7.6 reflects a moderate to high severity, but the EPSS of less than 1% indicates a low probability that this vulnerability is actively exploited in the wild at the time of analysis. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The likely attack vector involves an HTTP request that reaches the plugin\u2019s endpoint, as is typical for WordPress plugin weaknesses. Exploitation would require the attacker to supply crafted input to the vulnerable parameter, which the plugin then passes directly to the database."}}}}, "created": "2026-02-20T10:08:20.620533+00:00", "updated": "2026-04-16T00:15:18.645055+00:00", "vendors": ["bitpressadmin", "bitpressadmin$PRODUCT$bit_form", "wordpress", "wordpress$PRODUCT$wordpress"]}