CVE-2026-4373

HIGH

JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field

Title source: cna
STIX 2.1

Description

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.

References (5)

Scores

CVSS v3 7.5
EPSS 0.0015
EPSS Percentile 35.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-36
Status published
Products (1)
jetmonsters/JetFormBuilder — Dynamic Blocks Form Builder < 3.5.6.2
Published Mar 21, 2026
Tracked Since Mar 21, 2026