Authorization Bypass Vulnerability in JetFormBuilder Plugin for WordPress
CVE-2026-13459
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-13459?
The JetFormBuilder plugin for WordPress fails to adequately verify user authorization, allowing unauthenticated attackers to access and retrieve sensitive data from the site's database. This vulnerability specifically exploits published forms that utilize a get_from_db generator function. Attackers can discover form IDs and field names through public access, enabling them to retrieve distinct values such as WooCommerce billing details, post metadata, and potentially sensitive third-party plugin tokens. This flaw emphasizes the critical importance of proper authorization checks within plugins to safeguard user privacy.
Affected Version(s)
JetFormBuilder β Dynamic Blocks Form Builder 0 <= 3.6.3