CVE-2025-2580

Vulnerability

The Contact Form by Bit Form plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.18.3. The flaw resides in the file upload handling for SVG files, where insufficient input sanitization and output escaping allow arbitrary web scripts to be embedded [1].

Exploitation

An authenticated attacker with Author-level access or above can upload a malicious SVG file containing embedded JavaScript. When any user (including administrators) accesses the uploaded SVG file—either directly via its URL or through a media library view—the stored script executes in their browser. No additional user interaction beyond visiting the file is required [1].

Impact

Successful exploitation leads to persistent cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of the victim's WordPress session. This can be used to steal session cookies, perform administrative actions on behalf of the victim, deface the site, or redirect users to malicious sites, effectively gaining partial control over the affected WordPress installation [1].

Mitigation

The vendor released version 3.0.2 on 2026-05-22, which addresses the vulnerability. Users are strongly advised to update the Bit Form plugin to version 3.0.2 or later. For older versions, no official workaround has been provided; disabling SVG file upload capabilities or restricting Author-level upload permissions may reduce risk but does not fully remediate the issue [1].