Bit Form Contact Form Plugin Missing Authorization Vulnerability in WordPress

A vulnerability exists in the Bit Form Contact Form Plugin for WordPress, specifically in versions through 2.21.6. The issue arises from a lack of proper authorization in the 'triggerWorkFlow' function, allowing unauthorized users to execute workflows. This vulnerability exploits a logic flaw in nonce verification, where the security check only prevents requests if the nonce is invalid and the user is logged in. As a result, unauthenticated attackers can replay workflow executions and activate all associated integrations, such as webhooks, email notifications, CRM connections, and automation platforms, using the 'bitforms_trigger_workflow' AJAX action, provided they have the entry ID and log IDs from a legitimate form submission.

Impact

Exploitation of this vulnerability allows for unauthorized workflow executions, triggering all configured integrations, including webhooks, email notifications, CRM integrations, and automation platforms.

Reproduction

To reproduce this vulnerability, send a request to the 'bitforms_trigger_workflow' AJAX action without authentication. Include a valid entry ID and log IDs from a previous form submission response. The request will bypass nonce verification and execute the workflow, activating all associated integrations.

Remediation

Users are advised to update the Bit Form Contact Form Plugin to version 2.21.7 or later.