Unrated severityNVD Advisory· Published Jun 19, 2026

Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping

CVE-2026-11989

Description

The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Bit Integrations Form Integration Webhook Spreadsheets CRM Lms Email Automationinferred
Range: <=2.8.7
Package: https://wordpress.org/plugins/bit-integrations-form-integration-webhook-spreadsheets-crm-lms-email-automation
WordPress/Bit Integrationsllm-fuzzy
Range: <=2.8.7
Package: https://wordpress.org/plugins/bit-integrations

Patches

Vulnerability mechanics

Root cause

"The `upload_attachment` method in the WooCommerce integration makes HTTP requests to user-supplied URLs without validating that the target is not an internal or private network address."

Attack vector

An unauthenticated attacker can trigger a Server-Side Request Forgery (SSRF) by submitting a crafted form that includes a URL in a field mapped to a WooCommerce product image, product gallery, downloadable file, or Google Contacts attachment field. The `upload_attachment` method processes the submitted URL and makes an HTTP request to that arbitrary location from the web application's server, allowing the attacker to probe or interact with internal services. Exploitation requires that a form integration is configured with such a field mapping, which is a default use case for these integrations.

Affected code

The vulnerable code is in `backend/Actions/WooCommerce/RecordApiHelper.php` around line 584, specifically the `upload_attachment` method. The advisory states that the flaw exists in all versions up to and including 2.8.7 of the Bit Integrations plugin.

What the fix does

The advisory does not include a patch diff. To remediate the SSRF, the plugin should validate that the URL provided in the `upload_attachment` method points to an allowed, external resource and not to internal or private IP ranges. Additionally, the plugin should restrict the types of URLs that can be fetched and ensure that the response is not returned to the attacker in a way that leaks internal data.

Preconditions

configA form integration must be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field.
inputThe attacker must be able to submit a form that includes a URL in the mapped field.
authNo authentication is required; the attack is unauthenticated.

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

25 WordPress Plugin CVEs Drop in Two Days: Critical File Deletion, SSRF, and XSS Lead the Batch
Vypr Intelligence · Jun 19, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000