Skip to main content

JetFormBuilder EUVDEUVD-2026-41263

| CVE-2026-13459 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Wordfence GHSA-p3vr-rhh6-cj6v
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
7.5 HIGH

Network-exploitable with no auth or complexity; confidentiality upgraded to H because exposed data includes credentials, tokens, and PII stored in wp_postmeta.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:21 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The JetFormBuilder - Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve every distinct value stored under any arbitrary wp_postmeta key on the site - including WooCommerce billing PII such as _billing_email, _billing_phone, and _billing_address fields, order totals, attachment paths, and any third-party plugin credentials or tokens stored in post meta - provided at least one published JetFormBuilder form with a get_from_db generator field exists on the site. Exploitation requires that the target site has at least one published jet-form-builder post containing a field whose generator_function is set to get_from_db; an attacker must supply a matching form ID, field name, and generator ID in the request, but all of these can be discovered by browsing the site's public forms.

AnalysisAI

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Browse site for public JetFormBuilder forms
Delivery
Enumerate form ID, field name, and generator ID from page source
Exploit
Send unauthenticated REST API request with get_from_db parameters
Execution
Authorization check bypassed due to missing validation
Persist
Receive all distinct wp_postmeta values for requested key
Impact
Exfiltrate PII, tokens, or credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has at least one published post of type jet-form-builder containing a field whose generator_function is configured as get_from_db. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/Wordfence CVSS score of 5.3 (C:L) significantly understates real-world confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a WooCommerce store browses the site, identifies a published JetFormBuilder form, and enumerates the form's generator configuration by inspecting page source or making REST API discovery requests to obtain the form ID, field name, and generator ID. The attacker then sends a crafted unauthenticated POST or GET request to the JetFormBuilder generator REST endpoint supplying those parameters with an arbitrary wp_postmeta key (e.g., _billing_email), and the server returns all distinct values stored under that key across all posts - leaking customer email addresses, billing details, or third-party API tokens in a single request. …
Remediation The primary remediation is to update JetFormBuilder to the version released after changeset 3591404; as of this analysis, the exact patched version number is not independently confirmed - administrators should check the WordPress plugin repository for a version newer than 3.6.3 and apply the latest available update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy