WordPress Plugin Vulnerabilities

JetFormBuilder — Dynamic Blocks Form Builder < 3.5.6.2 - Authenticated (Contributor+) Remote Code Execution

Description

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
jetformbuilder
Fixed in 3.5.6.2

References

CVE
CVE-2026-32525
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/04af8675-1b1e-4f17-9eaf-87b49d8702e4

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (High)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
87f886cf-7e97-436d-aabc-bc8245f22666

Timeline

Publicly Published
2026-03-23 (about 1 month ago)
Added
2026-05-05 (about 8 days ago)
Last Updated
2026-05-05 (about 8 days ago)

Other

Published
Title
Published
2024-12-09
Title
Active Products Tables for WooCommerce. Use constructor to create tables < 1.0.6.6 - Unauthenticated Arbitrary Shortcode Execution via woot_get_smth
Published
2025-02-17
Title
PressMart - Modern Elementor WooCommerce WordPress Theme < 1.2.17 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-02-14
Title
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Published
2023-11-13
Title
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Published
2018-05-18
Title
ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution