{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11991", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T19:44:03.576Z", "datePublished": "2025-12-16T07:21:06.272Z", "dateUpdated": "2026-04-08T17:19:38.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:38.755Z"}, "affected": [{"vendor": "jetmonsters", "product": "JetFormBuilder \u2014 Dynamic Blocks Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JetFormBuilder \u2014 Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits."}], "title": "JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tri Firdyanto"}], "timeline": [{"time": "2025-10-12T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-20T20:24:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T18:47:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T21:34:27.628131Z", "id": "CVE-2025-11991", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T21:34:34.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T21:34:27.628131Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T21:34:31.585Z"}}], "cna": {"title": "JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation", "credits": [{"lang": "en", "type": "finder", "value": "Tri Firdyanto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "jetmonsters", "product": "JetFormBuilder \u2014 Dynamic Blocks Form Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-12T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-10-20T20:24:16.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T18:47:07.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26"}], "descriptions": [{"lang": "en", "value": "The JetFormBuilder \u2014 Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-16T07:21:06.272Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11991", "state": "PUBLISHED", "dateUpdated": "2025-12-16T21:34:34.711Z", "dateReserved": "2025-10-20T19:44:03.576Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-16T07:21:06.272Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JetFormBuilder \u2014 Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits."}], "id": "CVE-2025-11991", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-16T08:15:50.650", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:44:10.944914+00:00", "value": {"mitigation_remediation": ["Upgrade JetFormBuilder to version\u202f3.5.4 or later to remove the missing authorization check.", "If an upgrade is not yet available, disable the AI form generation endpoint by removing or blocking its route in the plugin\u2019s configuration.", "Monitor the site\u2019s AI usage statistics and enforce rate limits to detect and mitigate unauthorized form creation attempts."], "summary": {"action": "Update Plugin", "impact": "Unauthorized form generation and AI usage consumption"}, "threat_synthesis": {"affected_systems": "JetFormBuilder plugins for WordPress released by Jet Monsters with versions up to and including 3.5.3 are affected, as the missing check exists in all those releases.", "description_and_impact": "The plugin has a missing capability check on the run_callback function, allowing any user, even unauthenticated visitors, to call the AI form generation endpoint. This permits the unauthorized creation of forms, causing the site to consume AI usage limits without permission. The vulnerability is a classic missing authorization flaw (CWE\u2011862) that enables unwanted data modification in the form builder system.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1\u202f% shows a very low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. Attackers would likely leverage unauthenticated HTTP requests to the AI form generation endpoint to create forms, draining the site's AI usage limits and potentially leading to denial of paid AI features, but the impact is limited to resource consumption rather than system compromise."}}}}, "created": "2025-12-16T17:09:00.201705+00:00", "updated": "2026-04-21T00:45:23.103261+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}