Jetformbuilder
Monthly
Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.
Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.
Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder - Dynamic Blocks Form Builder plugin <= 3.0.6 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.
Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.
Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder - Dynamic Blocks Form Builder plugin <= 3.0.6 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.