CVE-2026-4373
Path Traversal in JetFormBuilder Plugin Allows Arbitrary File Read
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetformbuilder | jetformbuilder | to 3.5.6.2 (inc) |
| wordfence | jetformbuilder | to 3.5.6.2 (inc) |
| wordfence | jetformbuilder | 3.5.6.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-36 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4373 is a Local File Inclusion (LFI) vulnerability in the JetFormBuilder plugin for WordPress, affecting all versions up to and including 3.5.6.2.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the method 'Uploaded_File::set_from_array' accepts user-supplied file paths from the Media Field preset JSON payload without verifying that the file path belongs to the WordPress uploads directory."}, {'type': 'paragraph', 'content': "Additionally, the 'File_Tools::is_same_file' method performs an insufficient check by only comparing basenames, which allows attackers to bypass restrictions."}, {'type': 'paragraph', 'content': 'As a result, unauthenticated attackers can exploit this flaw by submitting a specially crafted form request when the form is configured with a Media Field and a Send Email action with file attachment, enabling them to read and exfiltrate arbitrary local files as email attachments.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to read arbitrary files on the server where the WordPress site is hosted.
Attackers can exfiltrate sensitive local files by submitting crafted form requests that cause the plugin to attach these files to emails sent by the site.
The impact includes potential exposure of sensitive information such as configuration files, credentials, or other private data stored on the server.
Because the vulnerability does not require authentication and can be triggered remotely, it poses a significant security risk.
The CVSS v3.1 base score of 7.5 reflects a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed, with high confidentiality impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the JetFormBuilder WordPress plugin allowing arbitrary file read via path traversal through crafted form requests that include file paths in the Media Field preset JSON payload. Detection involves monitoring for suspicious HTTP requests targeting forms configured with Media Field and Send Email actions that include unusual or unexpected file path parameters.'}, {'type': 'paragraph', 'content': 'Specifically, detection can focus on HTTP POST requests to the affected WordPress site that submit form data containing file paths outside the expected WordPress uploads directory (wp-content/uploads). Such requests may attempt to exfiltrate local files as email attachments.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include:'}, {'type': 'list_item', 'content': "Using web server access logs, search for POST requests to the form endpoint with suspicious payloads containing file paths with traversal patterns (e.g., '../'). For example, on a Linux server:"}, {'type': 'list_item', 'content': "grep -i 'POST' /var/log/apache2/access.log | grep -E '\\.\\.\\/|%2e%2e%2f'"}, {'type': 'list_item', 'content': 'Using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests containing suspicious file path patterns.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture HTTP POST traffic:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST'"}, {'type': 'list_item', 'content': "Then inspect captured payloads for file path traversal strings like '../' or encoded equivalents."}, {'type': 'paragraph', 'content': 'Additionally, scanning the WordPress installation to identify if the JetFormBuilder plugin version is 3.5.6.2 or earlier (vulnerable versions) can help detect exposure.'}] [4, 5]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the JetFormBuilder WordPress plugin to version 3.5.6.3 or later, which contains the fix for CVE-2026-4373.
The update enforces strict normalization and validation of file paths to ensure only files within the WordPress uploads directory can be accessed or attached, effectively blocking the path traversal exploit.
If immediate update is not possible, consider temporarily disabling or restricting forms that use the Media Field preset combined with Send Email actions that attach files, to prevent exploitation.
Additionally, review and restrict permissions related to file uploads and email sending in the plugin settings to limit exposure.
Monitor logs for suspicious activity as described in detection steps and consider implementing web application firewall (WAF) rules to block requests containing path traversal patterns targeting the vulnerable plugin.