Skip to main content

Jetformbuilder

4 CVEs product

Monthly

CVE-2026-54196 MEDIUM This Month

Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.

Privilege Escalation Jetformbuilder
NVD VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-54195 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetformbuilder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-32525 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.

Code Injection RCE Jetformbuilder
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2023-33212 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder - Dynamic Blocks Form Builder plugin <= 3.0.6 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jetformbuilder
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 6.8
MEDIUM This Month

Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.

Privilege Escalation Jetformbuilder
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetformbuilder
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.

Code Injection RCE Jetformbuilder
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder - Dynamic Blocks Form Builder plugin <= 3.0.6 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jetformbuilder
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy