Impact
JetFormBuilder for WordPress versions 3.6.1 and earlier contain a subscriber privilege escalation flaw classified as CWE-266. Affected users with subscriber roles can exploit the flaw to gain administrative authority on the affected WordPress site, enabling unauthorized content modifications, plugin configuration changes, or broader site compromise. The vulnerability arises during normal form interactions or administrative access that the plugin mishandles, allowing privilege elevation without additional authentication steps.
Affected Systems
Any WordPress site deploying Jetmonsters>JetFormBuilder plugin at version 3.6.1 or earlier is impacted. The exact version range is not enumerated beyond the affected cap, so all prior releases are considered vulnerable until patched to at least 3.6.1.1.
Risk and Exploitability
The CVSS score of 6.8 indicates moderate severity, reflecting a non-zero impact and potential for remote exploitation. EPSS data is unavailable and the vulnerability is not listed in CISA KEV, suggesting no confirmed widespread attacks yet. Attackers likely trigger the defect through standard user interactions with the plugin, but the exact chain of events is not detailed in the source. Even absent a public exploit, the privilege escalation potential warrants timely mitigation.
OpenCVE Enrichment