Skip to main content

Jetformbuilder CVE-2026-32525

| EUVDEUVD-2026-15889 CRITICAL
Code Injection (CWE-94)
2026-03-25 Patchstack
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15889
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.9

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.

AnalysisAI

A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.

Technical ContextAI

JetFormBuilder (CPE: cpe:2.3:a:jetmonsters:jetformbuilder:*:*:*:*:*:*:*:*) is a WordPress plugin developed by JetMonsters that provides form-building and form-handling capabilities. The vulnerability stems from improper control of code generation, classified under CWE-94 (Improper Control of Generation of Code), which occurs when user-controlled input is passed to code execution functions without sufficient sanitization or validation. In the context of a form builder, this typically means that form field values, configuration parameters, or dynamically constructed form logic are being evaluated or executed as code, allowing attackers to break out of the intended form processing logic and inject arbitrary PHP or JavaScript code that executes with the privileges of the web server or application context.

RemediationAI

Immediately upgrade JetFormBuilder to a version later than 3.5.6.1 as soon as the patched version becomes available from JetMonsters. Check the official WordPress plugin repository and the vendor's website for the latest stable release, and apply the update through the WordPress plugin management interface or via direct deployment if using a staging/deployment pipeline. Until a patch is released or applied, implement the following compensating controls: restrict form submission endpoints to whitelisted IP ranges if form functionality is not required for public users, disable the JetFormBuilder plugin if it is not actively in use, implement a Web Application Firewall (WAF) rule to block requests containing suspicious code injection payloads (PHP tags, eval, system calls) targeting form endpoints, and enable detailed logging and monitoring of form submissions for signs of exploitation. Regularly monitor the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/) and JetMonsters official channels for patch availability notifications.

Share

CVE-2026-32525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy