Impact
Unauthenticated Cross‑Site Scripting (XSS) is present in JetFormBuilder plugin versions up to 3.6.0.1, allowing an attacker to embed unsanitized script content that is rendered in the victim’s browser. The vulnerability does not require user authentication and can cause arbitrary code execution in the context of site visitors.
Affected Systems
All WordPress installations running the JetFormBuilder plugin version 3.6.0.1 or earlier are affected. The plugin is provided by Jetmonsters and the vulnerability is specific to those versions.
Risk and Exploitability
The CVSS score of 7.1 indicates moderate severity. No EPSS score is available, so the likelihood of exploitation is not quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an unauthenticated attacker submitting malicious input through the plugin’s form fields, which the plugin then renders without proper escaping.
OpenCVE Enrichment