CVE-2024-7291

HIGH

JetFormBuilder <3.3.4.1 - Privilege Escalation

Title source: llm

Description

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/types/register-user.php#L220

Product

https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/methods/update-user/user-meta-property.php#L23

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8ea1c2-7c6e-43b3-97ca-a06438d51d11?source=cve

Scores

CVSS v3 7.2

EPSS 0.0053

EPSS Percentile 40.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (1)

jetmonsters/JetFormBuilder — Dynamic Blocks Form Builder < 3.3.4.1

Published Aug 03, 2024

Tracked Since Feb 18, 2026