CVE-2025-11991
Unknown
Unknown - Not Provided
Unauthorized Data Modification in JetFormBuilder Plugin via Missing Capability Check
Vulnerability report for CVE-2025-11991, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: Wordfence
Description
Description
The JetFormBuilder β Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetformbuilder | jetformbuilder | 3.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |