JetFormBuilder < 3.5.4 – Missing Authorization to Unauthenticated Form Generation | CVE 2025-11991 | Plugin Vulnerabilities

Description

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.

Affects Plugins

Fixed in 3.5.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tri Firdyanto (Firdy)

Verified

No

WPVDB ID

22fcba12-df99-43e0-aef7-e9a40019c632

Timeline

Publicly Published

2025-12-15 (about 4 months ago)

Added

2025-12-15 (about 4 months ago)

Last Updated

2025-12-16 (about 4 months ago)

Other

Published

Title

Published

2023-12-06

Title

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_global_value)

Published

2025-01-16

Title

radSLIDE <= 2.1 - Missing Authorization

Published

2024-12-11

Title

New User Approve < 2.6.4 - Missing Authorization

Published

2022-11-04

Title

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

Published

2026-02-18

Title

ACF Photo Gallery Field < 3.1 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification