CVE-2024-13451
Contact Form by Bit Form <= 2.17.5 - Unauthenticated Sensitive Information ExposureThe Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5.
We have discovered 243 live websites that are affected by CVE-2024-13451.
Affected Software
| Product |  Bit Form |
| Category | Wordpress Plugins |
| Vulnerable Domains | 243 live websites (36% of Bit Form install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 46 versions ( 75% of all versions) |
Common Weakness Enumeration
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorDetails
- Published - Jul 2, 2025
- Updated - Jul 2, 2025
Credits
- Tim Coen (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-13451 United States | 79 websites |
 France | 23 websites |
 Germany | 21 websites |
 Italy | 14 websites |
 Russia | 14 websites |
 Cyprus | 12 websites |
 Czech Republic | 11 websites |
 GB | 11 websites |
 Australia | 7 websites |
 Brazil | 5 websites |
Website Distribution by TLD
Number of websites using CVE-2024-13451| .com | 78 websites |
| .com.au | 20 websites |
| .ru | 13 websites |
| .it | 12 websites |
| .org | 11 websites |
| .cz | 11 websites |
| .co.uk | 10 websites |
| .com.br | 8 websites |
| .net | 7 websites |
| .de | 6 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-13451
Top websites that are affected by CVE-2024-13451. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | France | **,*** | |
| ***************.com | United States | ***,*** | |
| *********.tv | United States | ***,*** | |
| **********.com | United States | *,***,*** | |
| ********.**.kr | United States | *,***,*** | |
| *************.ca | United States | *,***,*** | |
| *************************.net | Cyprus | *,***,*** | |
| *********************.***.br |  Chile | *,***,*** | |
| *****.org | United States | *,***,*** | |
| ****.io | Germany | *,***,*** |
FAQ
CVE-2024-13451 is Exposure of Sensitive Information to an Unauthorized Actor in Bit Form
A total of 243 websites have been identified as vulnerable to CVE-2024-13451, based on global website indexing conducted by WebTechSurvey.
The Bit Form is affected by the CVE-2024-13451 vulnerability.
Bit Form versions up to and including 2.17.5 are vulnerable to CVE-2024-13451.