CVE-2026-13459
Received Received - Intake

Authorization Bypass in JetFormBuilder WordPress Plugin

Vulnerability report for CVE-2026-13459, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The JetFormBuilder β€” Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve every distinct value stored under any arbitrary wp_postmeta key on the site β€” including WooCommerce billing PII such as _billing_email, _billing_phone, and _billing_address fields, order totals, attachment paths, and any third-party plugin credentials or tokens stored in post meta β€” provided at least one published JetFormBuilder form with a get_from_db generator field exists on the site. Exploitation requires that the target site has at least one published jet-form-builder post containing a field whose generator_function is set to get_from_db; an attacker must supply a matching form ID, field name, and generator ID in the request, but all of these can be discovered by browsing the site's public forms.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jetformbuilder dynamic_blocks_form_builder to 3.6.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The JetFormBuilder β€” Dynamic Blocks Form Builder plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.6.3. This means the plugin does not properly verify if a user is authorized to perform certain actions.

Because of this flaw, unauthenticated attackers can retrieve any distinct value stored under any wp_postmeta key on the site. This includes sensitive information such as WooCommerce billing personal data (email, phone, address), order totals, attachment paths, and credentials or tokens from third-party plugins stored in post meta.

To exploit this vulnerability, the target site must have at least one published JetFormBuilder form with a get_from_db generator field. An attacker can discover the required form ID, field name, and generator ID by browsing the site's public forms and then supply these in a request to retrieve the data.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on your WordPress site.

  • Exposure of personally identifiable information (PII) such as billing email, phone number, and address from WooCommerce orders.
  • Leakage of order totals and financial data.
  • Disclosure of attachment paths and potentially sensitive file locations.
  • Exposure of credentials or tokens from third-party plugins stored in post meta.

Overall, this can lead to privacy breaches, data theft, and potential misuse of sensitive information by attackers.

Compliance Impact

The vulnerability allows unauthenticated attackers to retrieve personally identifiable information (PII) such as billing email, phone, and address stored in WooCommerce post meta fields. Exposure of such sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper authorization and protection of personal data.

Because the plugin does not properly verify user authorization, it enables unauthorized access to sensitive customer information, potentially violating requirements for data confidentiality and access controls mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart