Description
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.
Published: 2026-03-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read
Action: Patch Now
AI Analysis

Impact

The JetFormBuilder plugin for WordPress allows an attacker to read any local file on the server. The vulnerability is caused by the set_from_array method accepting a file path from a Media Field preset JSON payload without verifying that the path resides in the uploads directory. When the form contains a Media Field and a Send Email action, a crafted request can be sent without authentication, causing the plugin to attach the requested file to an email and deliver it to the attacker. This path‑traversal flaw (CWE‑36) enables data exfiltration by reading arbitrary files, potentially exposing sensitive configuration, credentials, or application source code.

Affected Systems

JetMonsters JetFormBuilder – Dynamic Blocks Form Builder for WordPress. All releases up to and including version 3.5.6.2 are vulnerable. WordPress sites running these plugin versions are at risk. Specifically, the plugin’s set_from_array in uploaded-file.php (line 99) and related file‑upload modules fail to validate the file path, allowing traversal outside the uploads directory.

Risk and Exploitability

The CVSS score of 7.5 indicates high impact. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, but the path‑traversal flaw combined with unauthenticated form submission means exploitation is straightforward once a form with the vulnerable configuration exists. An attacker who can submit a form to the site does not need authentication and can obtain any file the web server can read, making this a serious risk for sites that store sensitive files outside the uploads directory.

Generated by OpenCVE AI on March 21, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetFormBuilder to the latest available version (at least 3.5.6.3).
  • Restrict form submissions containing Media Field and Send Email actions to authenticated users only.

Generated by OpenCVE AI on March 21, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Jetmonsters
Jetmonsters jetformbuilder — Dynamic Blocks Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Jetmonsters
Jetmonsters jetformbuilder — Dynamic Blocks Form Builder
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.
Title JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Jetmonsters Jetformbuilder — Dynamic Blocks Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:34.037Z

Reserved: 2026-03-18T10:15:15.895Z

Link: CVE-2026-4373

cve-icon Vulnrichment

Updated: 2026-03-24T14:05:19.367Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T07:16:10.380

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:18Z

Weaknesses