CVE-2026-11989 medium

Description

The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations. Affected software — plugin: Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation (affected: *-2.8.7). CVSS 6.5 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

• Wordfence remediation: Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation
  Wordfence

  Update to version 2.8.8, or a newer patched version

  2026-06-19 08:08 UTC
• Wordfence remediation: Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation
  Wordfence

  Update to version 2.8.8, or a newer patched version

  2026-06-19 02:09 UTC
• Wordfence remediation: Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation
  Wordfence

  Update to version 2.8.8, or a newer patched version

  2026-06-18 20:08 UTC

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

References (3)

• CVE record: CVE-2026-11989 Wordfence
• Wordfence vulnerability detail Wordfence
• https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf8d5c2-dbb1-47d5-b858-da6f6e1989f4?source=api-prod Wordfence

Only Available for Registered Users. Sign in to view.