CVE-2024-7782 is a path traversal vulnerability categorized under CWE-22 affecting the 'Contact Form by Bit Form' WordPress plugin, specifically versions 2.0 through 2.13.4. The vulnerability arises from insufficient validation of file paths in the iconRemove function, which is responsible for deleting icon files associated with contact forms. Authenticated attackers with Administrator or higher privileges can exploit this flaw to delete arbitrary files on the web server by manipulating the file path parameter. This arbitrary file deletion can be leveraged to remove critical configuration files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deletion of such files can lead to denial of service or facilitate remote code execution by forcing the system into an insecure state or enabling attackers to upload malicious files. The vulnerability does not require user interaction but does require elevated privileges, limiting exploitation to users who already have significant access. The CVSS v3.1 base score of 8.7 reflects the network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change due to impact beyond the vulnerable component. Although no known exploits have been reported in the wild, the vulnerability poses a serious risk to WordPress sites using this plugin, especially those with multiple administrators or compromised admin accounts. The lack of available patches at the time of disclosure increases urgency for mitigation.

The impact of CVE-2024-7782 is substantial for organizations using the affected WordPress plugin. Successful exploitation allows attackers to delete arbitrary files on the web server, which can disrupt website availability and integrity. Critical files like wp-config.php contain database credentials and configuration settings; their deletion can cause site outages and enable attackers to gain further control, potentially leading to remote code execution. This compromises the confidentiality, integrity, and availability of the affected systems. Organizations relying on this plugin for contact forms, payment processing, or multi-step forms risk service disruption, data loss, and full server compromise if exploited. The requirement for administrator-level access limits the attack surface but also means that compromised admin accounts or insider threats can leverage this vulnerability for significant damage. The vulnerability could be used as part of a broader attack chain to pivot into deeper network layers or exfiltrate sensitive data. Given WordPress’s widespread use globally, the threat can affect a large number of websites, including e-commerce, corporate, and government sites.

1. Immediately update the 'Contact Form by Bit Form' plugin to a patched version once available from the vendor. 2. In the absence of an official patch, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce risk of compromised admin accounts. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal or file deletion patterns targeting the iconRemove function. 4. Regularly back up critical WordPress files, including wp-config.php and other configuration files, to enable rapid recovery in case of file deletion. 5. Conduct thorough audits of administrator accounts and remove unnecessary privileges to minimize the number of users who can exploit this vulnerability. 6. Monitor server logs for unusual file deletion activity or errors related to missing files. 7. Employ file integrity monitoring tools to detect unauthorized changes or deletions of critical files. 8. Consider isolating WordPress instances in containerized or sandboxed environments to limit the blast radius of potential exploitation. 9. Educate administrators about the risks of this vulnerability and the importance of cautious plugin management and access control.