JetFormBuilder

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.

Basic Information

ID CVE-2025-11991

Source Wordfence

Published Dec 16, 2025 at 07:21

Affected Product

Vendor jetmonsters

Product JetFormBuilder — Dynamic Blocks Form Builder

Version *

Affected Versions jetmonsters JetFormBuilder — Dynamic Blocks Form Builder *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The JetFormBuilder \u2014 Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.",
    "published": "2025-12-16T07:21:06.272Z",
    "modified": "2025-12-16T07:21:06.272Z",
    "type": "cve",
    "title": "JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve\nhttps://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26",
    "id": "CVE-2025-11991",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "jetmonsters JetFormBuilder \u2014 Dynamic Blocks Form Builder *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "JetFormBuilder \u2014 Dynamic Blocks Form Builder",
    "version": "*",
    "vendor": "jetmonsters",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation_CVE-2025-11991