CVE-2024-13451: 
WordPress vulnerability analysis and mitigation

The Contact Form by Bit Form plugin for WordPress (versions up to and including 2.17.4) contains a Sensitive Information Exposure vulnerability. The vulnerability stems from insufficient directory listing prevention and lack of randomization of file names in file uploads. This security issue was discovered in early 2025 and was partially patched in version 2.17.5 (NVD, CVE).

The vulnerability exists in the file upload functionality of the plugin where there is inadequate protection against directory listing and predictable file naming patterns. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 7.5 (HIGH) by NVD and 5.3 (MEDIUM) by Wordfence. The vulnerability is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive data, specifically files that have been uploaded through the form. This could lead to unauthorized access to private information submitted by users through the contact form (NVD).

Users are advised to update to version 2.17.5 or later, which includes a partial patch for this vulnerability. The update addresses the directory listing and file name randomization issues (NVD).