CVE-2024-9507

Root

Cause

The Contact Form by Bit Form plugin for WordPress, up to version 2.15.2, contains an arbitrary file read vulnerability in its iconUpload function. The flaw stems from improper input validation, allowing user-supplied file paths to be processed without sufficient sanitization. This enables an authenticated attacker to leverage a PHP filter chain attack to read the contents of any file on the server. [1]

Exploitation

Requirements

Exploitation requires Administrator-level access (or higher) to the WordPress instance. The attacker must be able to reach the vulnerable iconUpload endpoint, which is otherwise protected. By crafting a malicious file path through PHP wrapper techniques (the filter chain), the attacker bypasses typical upload restrictions and reads server files. No additional privileges or network position are needed beyond the admin session. [1]

Impact

Successful exploitation allows the attacker to read arbitrary files, potentially exposing sensitive data such as WordPress configuration files (including database credentials), private keys, or other application secrets. This can lead to further compromise of the site and its underlying infrastructure. The confidentiality impact is considered high, while integrity and availability are unaffected. [1]

Mitigation

The vendor has released a patched version (2.15.3) that addresses the input validation flaw. All users are strongly advised to update immediately. No workarounds are documented; the only mitigation is to apply the update. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, but admin-level attack surface should be minimized. [1]