cleantalk
Vulnerabilities and Security Researches

JetFormBuilder — Dynamic Blocks Form Builder, CVE-2025-11991

CVE, Research URL

CVE-2025-11991

Home page URL

Security reports for JetFormBuilder — Dynamic Blocks Form Builder

Application

JetFormBuilder — Dynamic Blocks Form Builder

Published on
Dec 16, 2025
Research Description
The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
Affected versions
max 3.5.4.
Status
vulnerable
Previous vulnerability researches
WC Fields Factory (CVE-2023-0277) , Jun 07, 2024
WC Fields Factory (6cc027737736ffa5a4ad7d18f7aacab3368b4dae) , Jun 07, 2024
New vulnerability
Download Plugins and Themes from Dashboard (CVE-2025-14399) , Jan 10, 2026
Heateor Social Login WordPress (CVE-2025-68998) , Jan 10, 2026
AnnunciFunebri Impresa (CVE-2025-14447) , Jan 10, 2026
Serial Codes Generator and Validator with WooCommerce Support (CVE-2025-62091) , Jan 10, 2026
Effect Maker (CVE-2025-68867) , Jan 10, 2026