Is WordPress affected by EUVD-2026-14240?

An unpatched vulnerability in the JetFormBuilder WordPress plugin exposes organizations to unauthorized file access and data exfiltration.

EUVD-2026-14240

| CVE-2026-4373 HIGH

2026-03-21 Wordfence

GHSA-947p-f7h4-wr4m

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 21, 2026 - 07:15 euvd

EUVD-2026-14240

Analysis Generated

Mar 21, 2026 - 07:15 vuln.today

CVE Published

Mar 21, 2026 - 06:45 nvd

HIGH 7.5

Description

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.

Analysis

The JetFormBuilder plugin for WordPress contains a critical path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. All versions up to and including 3.5.6.2 are affected. …

Remediation

Within 24 hours: Audit all WordPress installations for JetFormBuilder plugin presence and version; disable the plugin immediately on all affected sites if business continuity permits. Within 7 days: Implement Web Application Firewall (WAF) rules to block malicious Media Field payloads; review access logs for signs of exploitation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

EUVD-2026-14240 vulnerability details – vuln.today

Back

EUVD-2026-14240

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-14240

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code