Description
Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions.
Published: 2026-06-17
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetFormBuilder for WordPress versions 3.6.1 and earlier contain a subscriber privilege escalation flaw classified as CWE-266. Affected users with subscriber roles can exploit the flaw to gain administrative authority on the affected WordPress site, enabling unauthorized content modifications, plugin configuration changes, or broader site compromise. The vulnerability arises during normal form interactions or administrative access that the plugin mishandles, allowing privilege elevation without additional authentication steps.

Affected Systems

Any WordPress site deploying Jetmonsters>JetFormBuilder plugin at version 3.6.1 or earlier is impacted. The exact version range is not enumerated beyond the affected cap, so all prior releases are considered vulnerable until patched to at least 3.6.1.1.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, reflecting a non-zero impact and potential for remote exploitation. EPSS data is unavailable and the vulnerability is not listed in CISA KEV, suggesting no confirmed widespread attacks yet. Attackers likely trigger the defect through standard user interactions with the plugin, but the exact chain of events is not detailed in the source. Even absent a public exploit, the privilege escalation potential warrants timely mitigation.

Generated by OpenCVE AI on June 18, 2026 at 12:04 UTC.

Remediation

Vendor Solution

Update the WordPress JetFormBuilder Plugin to the latest available version (at least 3.6.1.1).


OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade JetFormBuilder to version 3.6.1.1 or newer.
  • As a temporary measure, disable JetFormBuilder forms for non-privileged users until the update is applied.
  • Review and enforce least‑privilege role assignments so that subscriber accounts cannot assume elevated capabilities unnecessarily.

Generated by OpenCVE AI on June 18, 2026 at 12:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetmonsters
Jetmonsters jetformbuilder
Wordpress
Wordpress wordpress
Vendors & Products Jetmonsters
Jetmonsters jetformbuilder
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions.
Title WordPress JetFormBuilder plugin <= 3.6.1 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Jetmonsters Jetformbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:16:17.065Z

Reserved: 2026-06-12T09:16:00.860Z

Link: CVE-2026-54196

cve-icon Vulnrichment

Updated: 2026-06-17T12:16:11.653Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:15:02Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment