CVE-2025-14901 is a missing authorization vulnerability (CWE-862) in the Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder WordPress plugin by bitpressadmin. The vulnerability exists in the triggerWorkFlow function, which is responsible for executing configured workflows such as webhooks, email notifications, CRM integrations, and automation platform triggers. The root cause is a logic flaw in the nonce verification mechanism: the security check only blocks requests when both the nonce verification fails and the user is logged in. This means that if the nonce verification fails but the user is not logged in (i.e., unauthenticated), the request is not blocked. Consequently, an unauthenticated attacker who can obtain valid entry IDs and log IDs from legitimate form submission responses can replay these requests to trigger workflows arbitrarily. This can lead to unauthorized execution of actions configured in the workflows, potentially causing data manipulation, spamming via email notifications, or triggering unintended automation processes. The vulnerability affects all versions of the plugin up to and including 2.21.6. The CVSS 3.1 base score is 6.5 (medium), reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity and availability but not confidentiality. No public exploits are currently known, and no patches have been linked yet. The vulnerability was reserved in December 2025 and published in January 2026.

The primary impact of CVE-2025-14901 is unauthorized workflow execution that can disrupt business processes and automation pipelines. Attackers can trigger email notifications, potentially leading to spam or phishing campaigns originating from the victim's infrastructure, damaging reputation and causing operational disruption. CRM integrations and automation platforms triggered without authorization may result in data corruption, unauthorized data transmission, or unintended actions in connected systems, affecting data integrity and availability. The ability to replay workflows without authentication increases the risk of persistent abuse. Organizations relying on this plugin for critical form processing or payment workflows may experience service interruptions or data inconsistencies. Although confidentiality is not directly impacted, the integrity and availability of business processes and automated communications are at risk. The vulnerability's exploitation could also serve as a foothold for further attacks if attackers leverage triggered workflows to inject malicious payloads or manipulate downstream systems.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict access to form submission responses to trusted users only, minimizing the risk of attackers obtaining valid entry and log IDs. 2) Monitor and log all AJAX requests to the bitforms_trigger_workflow action for unusual patterns or repeated replay attempts. 3) Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the vulnerable AJAX endpoint, especially those lacking valid authentication tokens or originating from suspicious IP addresses. 4) Temporarily disable or limit critical integrations (e.g., email notifications, CRM triggers) configured in workflows to reduce potential impact. 5) If feasible, replace the vulnerable plugin with alternative form builders that have no known authorization issues. 6) Educate site administrators about the risk and encourage prompt updates once a patch becomes available. 7) Review and tighten nonce verification logic in custom code or plugin forks to ensure authorization checks are properly enforced regardless of user login status.