CVE-2025-11991 in JetFormBuilder Plugin
Summary
by MITRE • 12/16/2025
The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/16/2025
The vulnerability identified as CVE-2025-11991 affects the JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress, representing a critical authorization flaw that undermines the security posture of affected websites. This issue stems from a fundamental missing capability check within the plugin's codebase, specifically within the run_callback function that governs form generation operations. The absence of proper authentication verification creates an exploitable condition that allows unauthenticated attackers to bypass normal access controls and execute privileged operations. The vulnerability impacts all versions of the plugin up to and including version 3.5.3, indicating a widespread exposure across numerous installations that have not received the necessary security patch.
The technical flaw manifests through the improper validation of user permissions within the plugin's callback execution mechanism. When the run_callback function processes form generation requests, it fails to verify whether the requesting entity possesses the appropriate capabilities required to perform these operations. This missing validation creates a direct pathway for malicious actors to manipulate the form building process without proper authorization. The vulnerability is particularly concerning because it enables attackers to leverage the plugin's AI-powered form generation features, which are typically restricted to authenticated users with appropriate privileges. The implementation flaw resides in the plugin's security model where it assumes all requests are legitimate without proper capability verification, creating an authentication bypass that can be exploited remotely.
The operational impact of this vulnerability extends beyond simple data modification to encompass resource consumption and potential service disruption. Unauthenticated attackers can exploit the vulnerability to generate forms using the site's AI processing capabilities, effectively consuming the available AI usage limits without authorization. This represents a significant concern for websites that rely on AI services with limited quotas or paid usage models, as attackers can rapidly deplete these resources and potentially cause operational disruptions. The vulnerability creates an avenue for abuse that could lead to unexpected costs, service degradation, or complete unavailability of AI-powered features. Additionally, the unauthorized form generation could potentially be used as a stepping stone for further attacks, as it provides a means to establish persistence or gather information about the target system through form submission patterns.
The security implications of this vulnerability align with CWE-284, which addresses improper access control in software systems, and can be mapped to ATT&CK technique T1078.004 for valid accounts usage, as the vulnerability allows unauthorized access to privileged operations without proper authentication. Organizations should prioritize immediate remediation by updating to the latest version of the JetFormBuilder plugin where the capability check has been properly implemented. Mitigation strategies include implementing additional network-level controls such as rate limiting on form generation endpoints, monitoring for unusual AI usage patterns, and conducting thorough security audits of all WordPress plugins. The vulnerability underscores the importance of proper capability validation in web applications and highlights the critical need for comprehensive security testing of plugin components that handle privileged operations. Regular security assessments and keeping all WordPress components updated remain essential practices to prevent exploitation of similar authorization flaws in the broader WordPress ecosystem.