🔐 CVE Alert

CVE-2026-11989

MEDIUM 6.5

Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.

CWE CWE-918
Vendor bitpressadmin
Product bit integrations – form integration, webhook, spreadsheets, crm, lms & email automation
Published Jun 19, 2026
Stay Ahead of the Next One

Get instant alerts for bitpressadmin bit integrations – form integration, webhook, spreadsheets, crm, lms & email automation

Be the first to know when new medium vulnerabilities affecting bitpressadmin bit integrations – form integration, webhook, spreadsheets, crm, lms & email automation are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

bitpressadmin / Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation
0 ≤ 2.8.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf8d5c2-dbb1-47d5-b858-da6f6e1989f4?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L631 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L139 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L584 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L168 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L631 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L139 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L584 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L168 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571608%40bit-integrations&new=3571608%40bit-integrations&sfp_email=&sfph_mail=

Credits

Chris Peterson