Skip to main content

JetFormBuilder EUVDEUVD-2026-37636

| CVE-2026-54195 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress form (AV:N/AC:L), no auth needed to inject (PR:N), victim click required (UI:R), scope-changed XSS in site origin yields limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:55 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0.1 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running JetFormBuilder ≤3.6.0.1
Delivery
Craft XSS payload for vulnerable form field
Exploit
Deliver malicious link to victim
Execution
Victim's browser renders injected script
Persist
Script executes in site origin
Impact
Steal session cookies or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a WordPress site running JetFormBuilder version 3.6.0.1 or earlier with a JetFormBuilder-generated form or endpoint reachable to unauthenticated visitors, and (2) victim user interaction - either clicking an attacker-supplied link containing the payload or loading a page where a previously injected payload is rendered (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed: CVSS 7.1 (High) with AV:N/AC:L/PR:N reflects easy network reachability without credentials, but UI:R means a victim must click or load attacker-controlled content, and C/I/A are all Low rather than High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or form-submission payload targeting a JetFormBuilder-rendered field on a victim WordPress site and distributes it via email, social media, or a malicious site. When a logged-in administrator or visitor follows the link, the injected JavaScript executes in their browser under the site's origin, enabling session-cookie theft, CSRF actions against wp-admin, or silent redirection. …
Remediation No vendor-released patch identified at time of analysis in the provided data - administrators should monitor the JetFormBuilder changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-6-0-1-cross-site-scripting-xss-vulnerability) for a release above 3.6.0.1 and upgrade immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations running JetFormBuilder 3.6.0.1 or earlier; disable the plugin and assess which pages are affected. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy