JetFormBuilder — Dynamic Blocks Form Builder, CVE-2025-11991

CVE, Research URL: CVE-2025-11991
Home page URL: Security reports for JetFormBuilder — Dynamic Blocks Form Builder
Application: JetFormBuilder — Dynamic Blocks Form Builder
Published on: Dec 16, 2025
Research Description: The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
Affected versions: max 3.5.4.
Status: vulnerable