Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.
AnalysisAI
A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.
Technical ContextAI
JetFormBuilder (CPE: cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:*:*:*) is a WordPress plugin developed by JetMonsters that provides form-building and form-handling capabilities. The vulnerability stems from improper control of code generation, classified under CWE-94 (Improper Control of Generation of Code), which occurs when user-controlled input is passed to code execution functions without sufficient sanitization or validation. In the context of a form builder, this typically means that form field values, configuration parameters, or dynamically constructed form logic are being evaluated or executed as code, allowing attackers to break out of the intended form processing logic and inject arbitrary PHP or JavaScript code that executes with the privileges of the web server or application context.
RemediationAI
Immediately upgrade JetFormBuilder to a version later than 3.5.6.1 as soon as the patched version becomes available from JetMonsters. Check the official WordPress plugin repository and the vendor's website for the latest stable release, and apply the update through the WordPress plugin management interface or via direct deployment if using a staging/deployment pipeline. Until a patch is released or applied, implement the following compensating controls: restrict form submission endpoints to whitelisted IP ranges if form functionality is not required for public users, disable the JetFormBuilder plugin if it is not actively in use, implement a Web Application Firewall (WAF) rule to block requests containing suspicious code injection payloads (PHP tags, eval, system calls) targeting form endpoints, and enable detailed logging and monitoring of form submissions for signs of exploitation. Regularly monitor the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/) and JetMonsters official channels for patch availability notifications.
More in Jetformbuilder
View allCross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder - Dynamic Blocks Form Builder plugin <= 3.0
Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlie
Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to e
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15889