VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 8 known issues Latest disclosed Mar 20, 2026

JetFormBuilder — Dynamic Blocks Form Builder Vulnerabilities

Review known vulnerability records for the WordPress plugin JetFormBuilder — Dynamic Blocks Form Builder (`jetformbuilder`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
8
High or Critical
3
Linked CVEs
8
Last Updated
Mar 20, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for JetFormBuilder — Dynamic Blocks Form Builder so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
8 records include a published patch path.
Severity Mix
0 critical and 3 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for JetFormBuilder — Dynamic Blocks Form Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-4373
JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload wit...

Published
Mar 20, 2026
Patched Release
3.5.6.3
Affected Versions
Versions up to 3.5.6.2
Next Step
Update to 3.5.6.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11991
JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attacker...

Published
Dec 15, 2025
Patched Release
3.5.4
Affected Versions
Versions up to 3.5.3
Next Step
Update to 3.5.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64384
JetFormBuilder <= 3.5.3 - Missing Authorization

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to perform an unauthorized...

Published
Nov 29, 2025
Patched Release
3.5.4
Affected Versions
Versions up to 3.5.3
Next Step
Update to 3.5.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-53990
JetFormBuilder <= 3.5.1.2 - Authenticated (Administrator+) PHP Object Injection

The JetFormBuilder plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.5.1.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. N...

Published
Jul 16, 2025
Patched Release
3.5.2
Affected Versions
Versions up to 3.5.1.2
Next Step
Update to 3.5.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-7291
JetFormBuilder <= 3.3.4.1 - Authenticated (Administrator+) Privilege Escalation

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions...

Published
Aug 02, 2024
Patched Release
3.3.4.2
Affected Versions
Versions up to 3.3.4.1
Next Step
Update to 3.3.4.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-48763
JetFormBuilder <= 3.1.4 - Unauthenticated Content Injection

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to content injection in all versions up to, and including, 3.1.4. This makes it possible for unauthenticated attackers to inject content onto the site.

Published
Nov 28, 2023
Patched Release
3.1.5
Affected Versions
Versions up to 3.1.4
Next Step
Update to 3.1.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-37866
JetFormBuilder <= 3.0.8 - Authenticated (Author+) Privilege Escalation

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.0.8. This is due to insufficient restrictions on the form builder. This makes it possible for authenticated attackers, with author-level access and above, to create f...

Published
Jul 10, 2023
Patched Release
3.0.9
Affected Versions
Versions up to 3.0.8
Next Step
Update to 3.0.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-33212
JetFormBuilder <= 3.0.6 - Cross-Site Request Fogery via 'do_admin_action'

The JetFormBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.6. This is due to missing or incorrect nonce validation on the 'do_admin_action' function. This makes it possible for unauthenticated attackers to perform var...

Published
May 24, 2023
Patched Release
3.0.7
Affected Versions
Versions up to 3.0.6
Next Step
Update to 3.0.7 or newer if supported.
Open Full Report Open CVE Reference