{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32525", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:19.948Z", "datePublished": "2026-03-25T16:15:08.389Z", "dateUpdated": "2026-04-29T09:52:01.154Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jetformbuilder", "product": "JetFormBuilder", "vendor": "jetmonsters", "versions": [{"changes": [{"at": "3.5.6.2", "status": "unaffected"}], "lessThanOrEqual": "<= 3.5.6.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.469Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.<p>This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.154Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-6-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:55:12.188434Z", "id": "CVE-2026-32525", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:55:25.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32525", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:55:12.188434Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:55:22.035Z"}}], "cna": {"title": "WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "jetmonsters", "product": "JetFormBuilder", "versions": [{"status": "affected", "changes": [{"at": "3.5.6.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.5.6.1"}], "packageName": "jetformbuilder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:41.469Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-6-1-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.<p>This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:08.389Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32525", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:55:25.278Z", "dateReserved": "2026-03-12T11:12:19.948Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:08.389Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1."}, {"lang": "es", "value": "Vulnerabilidad de Control Inadecuado de la Generaci\u00f3n de C\u00f3digo ('Inyecci\u00f3n de C\u00f3digo') en jetmonsters JetFormBuilder jetformbuilder permite la Inyecci\u00f3n de C\u00f3digo. Este problema afecta a JetFormBuilder: desde n/a hasta &lt;= 3.5.6.1."}], "id": "CVE-2026-32525", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:05.553", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-6-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.5.6.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[3.5.6.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JetFormBuilder", "source": "cna", "vendor": "jetmonsters"}, "product": "jetformbuilder", "vendor": "jetmonsters"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T22:22:35.072234+00:00", "value": {"mitigation_remediation": ["Upgrade JetFormBuilder to a version newer than 3.5.6.1, ideally the latest stable release.", "If an update cannot be applied immediately, disable or uninstall the plugin until a patch is available.", "Implement application\u2011layer filtering or a web\u2011application firewall to block suspicious code\u2011injection patterns in form input.", "After applying the fix, run a comprehensive vulnerability scan to confirm remediation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the JetFormBuilder plugin in any release up through 3.5.6.1 are affected. Versions before 3.5.6.1 are also listed as vulnerable, so any site with an older release is at risk. Site administrators should verify the plugin version in use and consider a version audit to identify exposure.", "description_and_impact": "The JetFormBuilder plugin contains an improper control of code generation flaw that allows an attacker to inject and execute arbitrary PHP code on the web server. This code injection weakness (CWE\u201194) can be used to take full control of the WordPress site, accessing files, databases, and potentially the underlying operating system.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.9, indicating critical severity. No EPSS score is provided, so the likelihood of exploitation cannot be quantified, and the issue is not recorded in the CISA KEV catalog. Based on the description, it is inferred that the attack would be carried out remotely, possibly by submitting malicious input through the plugin's form handling, although the exact exploitation method is not explicitly stated."}}}}, "created": "2026-03-26T11:35:07.162930+00:00", "updated": "2026-03-26T12:12:24.102382+00:00", "vendors": ["jetmonsters", "jetmonsters$PRODUCT$jetformbuilder", "wordpress", "wordpress$PRODUCT$wordpress"]}