Description
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The JetFormBuilder plugin contains an improper control of code generation flaw that allows an attacker to inject and execute arbitrary PHP code on the web server. This code injection weakness (CWE‑94) can be used to take full control of the WordPress site, accessing files, databases, and potentially the underlying operating system.

Affected Systems

WordPress installations that use the JetFormBuilder plugin in any release up through 3.5.6.1 are affected. Versions before 3.5.6.1 are also listed as vulnerable, so any site with an older release is at risk. Site administrators should verify the plugin version in use and consider a version audit to identify exposure.

Risk and Exploitability

The vulnerability has a CVSS score of 9.9, indicating critical severity. No EPSS score is provided, so the likelihood of exploitation cannot be quantified, and the issue is not recorded in the CISA KEV catalog. Based on the description, it is inferred that the attack would be carried out remotely, possibly by submitting malicious input through the plugin's form handling, although the exact exploitation method is not explicitly stated.

Generated by OpenCVE AI on March 25, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetFormBuilder to a version newer than 3.5.6.1, ideally the latest stable release.
  • If an update cannot be applied immediately, disable or uninstall the plugin until a patch is available.
  • Implement application‑layer filtering or a web‑application firewall to block suspicious code‑injection patterns in form input.
  • After applying the fix, run a comprehensive vulnerability scan to confirm remediation.

Generated by OpenCVE AI on March 25, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jetmonsters
Jetmonsters jetformbuilder
Wordpress
Wordpress wordpress
Vendors & Products Jetmonsters
Jetmonsters jetformbuilder
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.
Title WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Jetmonsters Jetformbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T19:55:25.278Z

Reserved: 2026-03-12T11:12:19.948Z

Link: CVE-2026-32525

cve-icon Vulnrichment

Updated: 2026-03-25T19:55:22.035Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:05.553

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:24Z

Weaknesses