CVE-2024-7777 is a path traversal vulnerability classified under CWE-22, found in the 'Contact Form by Bit Form' WordPress plugin, specifically versions 2.0 through 2.13.9. The flaw arises from improper validation of file path inputs in multiple plugin functions, allowing authenticated users with Administrator or higher privileges to manipulate file paths beyond the intended restricted directories. This enables attackers to arbitrarily read and delete files on the web server. The ability to delete critical files such as wp-config.php can lead to remote code execution by destabilizing the WordPress environment or triggering fallback behaviors that allow code injection or execution. The vulnerability does not require user interaction but does require elevated privileges, limiting exploitation to users who already have significant access. The CVSS v3.1 base score is 9.0, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change with partial confidentiality loss but high integrity and availability impact. No public exploits have been reported yet, but the risk is substantial given the potential for server compromise. The vulnerability was publicly disclosed on August 20, 2024, and no official patches have been linked yet, emphasizing the need for immediate mitigation.

This vulnerability poses a severe risk to organizations running WordPress sites with the affected plugin. An attacker with administrator access can read sensitive files, potentially exposing credentials, configuration details, or other confidential data. More critically, the attacker can delete arbitrary files, including core WordPress configuration files like wp-config.php, which can disrupt site availability and enable remote code execution. This can lead to full server compromise, data breaches, defacement, or persistent backdoors. The impact extends to data confidentiality, integrity, and availability, potentially affecting customer trust, regulatory compliance, and business continuity. Since WordPress powers a significant portion of websites globally, any site using this plugin is at risk, especially those with multiple administrators or weak internal access controls. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation, as attackers may develop exploits rapidly once details are public.

Organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'Contact Form by Bit Form' plugin versions 2.0 to 2.13.9. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of privilege abuse. Implement file integrity monitoring to detect unauthorized file deletions or modifications, especially for critical files like wp-config.php. Regularly back up WordPress files and databases to enable rapid recovery in case of exploitation. Monitor logs for suspicious file access or deletion activities. Once a patch is available, apply it promptly. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this plugin. Educate administrators about the risks of excessive privileges and the importance of plugin security hygiene.