WordPress Plugin Vulnerabilities

JetFormBuilder < 3.5.6.3 - Unauthenticated Arbitrary File Read via Media Field

Description

The plugin is vulnerable to arbitrary file read via path traversal due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.

Affects Plugins

Plugin icon
jetformbuilder
Fixed in 3.5.6.3

References

CVE
CVE-2026-4373
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1801fd3e-d56f-4540-9700-9e9de8b465e1

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
7.5 (high)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
173af602-6466-4caa-8bec-798e4a91bfe1

Timeline

Publicly Published
2026-03-20 (about 1 month ago)
Added
2026-03-20 (about 1 month ago)
Last Updated
2026-03-20 (about 1 month ago)

Other

Published
Title
Published
2025-12-22
Title
PhastPress < 3.8 - Unauthenticated Arbitrary File Read via Null Byte Injection
Published
2022-04-05
Title
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
Published
2022-04-12
Title
WPvivid Backup and Migration Plugin < 0.9.71 - Admin+ Arbitrary File Download
Published
2022-07-11
Title
Project Source Code Download <= 1.0.0 - Unauthenticated Backup Download
Published
2025-11-20
Title
Import WP – Export and Import CSV and XML files to WordPress < 2.14.18 - Unauthenticated Information Exposure