CVE-2025-11991
Unauthorized Data Modification in JetFormBuilder Plugin via Missing Capability Check
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetformbuilder | jetformbuilder | 3.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the JetFormBuilder WordPress plugin (up to version 3.5.3) is due to a missing capability check on the run_callback function of the AI form generation REST API endpoint. This allows unauthenticated attackers to invoke the AI form generation feature without authorization, enabling them to generate forms using AI and consume the site's AI usage limits. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to generate AI-based forms on your site, which can consume your AI usage limits without permission. This unauthorized usage could lead to resource exhaustion or unexpected costs if your AI usage is metered or limited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect exploitation attempts by monitoring HTTP POST requests to the REST API endpoint '/wp-json/jetformbuilder/ai/generate'. For example, using command-line tools like curl or network monitoring tools, you can check for POST requests to this endpoint. A sample curl command to test the endpoint is: curl -X POST https://yourwordpresssite.com/wp-json/jetformbuilder/ai/generate -d '{"prompt":"test"}' -H 'Content-Type: application/json'. Additionally, inspecting web server logs for POST requests to 'ai/generate' can help identify unauthorized usage. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the JetFormBuilder plugin to a version later than 3.5.3 where the missing capability check is fixed. If an update is not immediately available, restrict access to the REST API endpoint '/wp-json/jetformbuilder/ai/generate' by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated POST requests to this endpoint. Additionally, monitor AI usage limits and logs for unusual activity to detect potential abuse. [1]