CVE-2025-11991

MEDIUM

JetFormBuilder <3.5.3 - Info Disclosure

Title source: llm

Description

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve

Scores

CVSS v3 5.3

EPSS 0.0019

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

jetmonsters/JetFormBuilder — Dynamic Blocks Form Builder < 3.5.3

Published Dec 16, 2025

Tracked Since Feb 18, 2026