Authorization Bypass Vulnerability in JetFormBuilder Plugin for WordPress
CVE-2026-13459

5.3MEDIUM

What is CVE-2026-13459?

The JetFormBuilder plugin for WordPress fails to adequately verify user authorization, allowing unauthenticated attackers to access and retrieve sensitive data from the site's database. This vulnerability specifically exploits published forms that utilize a get_from_db generator function. Attackers can discover form IDs and field names through public access, enabling them to retrieve distinct values such as WooCommerce billing details, post metadata, and potentially sensitive third-party plugin tokens. This flaw emphasizes the critical importance of proper authorization checks within plugins to safeguard user privacy.

Affected Version(s)

JetFormBuilder β€” Dynamic Blocks Form Builder 0 <= 3.6.3

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Niv Kochan
.