Security Alert Summary
The JetFormBuilder plugin for WordPress contains a path traversal vulnerability that can be used to read arbitrary local files. An unauthenticated attacker can submit a specially crafted form request that causes the plugin to accept and attach local files to outgoing emails when a form uses a Media Field and a Send Email action with file attachment.
CVE Details
- CVE ID: CVE-2026-4373
- Affected component: JetFormBuilder plugin (as described)
- Affected versions: All versions up to and including 3.5.6.2
- Published: March 21, 2026 at 7:16:10 AM
- Last modified: March 21, 2026 at 7:16:10 AM
- CVSS v3.1: Base Score 7.5, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / Privileges / User interaction: Authentication: None; Privileges Required: None; User Interaction: None
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE: CWE-36 (Path Traversal)
Technical Details
The vulnerability is a path traversal-based arbitrary file read. The plugin’s Uploaded_File::set_from_array method accepts user-supplied file paths delivered in the Media Field preset JSON payload without verifying that the path is inside the WordPress uploads directory. This insufficient validation is combined with an inadequate same-file check in File_Tools::is_same_file, which only compares basenames. Because these checks are insufficient, an attacker can craft a form submission that references local files outside the uploads directory and cause those files to be attached to outgoing emails when a form is configured with a Media Field and a Send Email action with file attachment. The impact is limited to disclosure of local files that the web server process can read; the description does not indicate additional privilege escalation or remote code execution.
How This Could Impact Your Website
In a realistic scenario, an external attacker submits a specially crafted form to a site that uses JetFormBuilder with a Media Field and a Send Email action. The site owner or internal staff member configured the form to attach files to email notifications. The attacker could cause sensitive local files readable by the webserver to be attached and emailed to an address controlled by the attacker, potentially exposing internal documents, configuration files, or stored data such as user contact information. This exposure could increase the risk of targeted phishing or social engineering against staff or contractors who appear in those files. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level and other roles that can submit forms.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and outgoing email behavior for unusual patterns or unexpected attachments.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.6.2/includes/classes/resources/uploaded-file.php#L99
- https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.6.2/modules/actions-v2/send-email/send-email-action.php#L214
- https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.6.2/modules/block-parsers/file-uploader.php#L313
- https://plugins.trac.wordpress.org/changeset/3486996/jetformbuilder
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1801fd3e-d56f-4540-9700-9e9de8b465e1?source=cve
