CVE-2026-4373

Name of the Vulnerable Software and Affected Versions JetFormBuilder plugin for WordPress versions up to and including 3.5.6.2

Description The JetFormBuilder plugin for WordPress is susceptible to arbitrary file read due to a path traversal flaw. The issue stems from the Uploaded File::set from array method accepting user-supplied file paths from the Media Field preset JSON payload without proper validation to ensure the path resides within the WordPress uploads directory. This, combined with an inadequate same-file check in the File Tools::is same file function that only compares basenames, allows unauthenticated attackers to extract arbitrary local files as email attachments. This is achieved by submitting a specially crafted form request when the form is configured with a Media Field and a Send Email action that includes file attachment functionality.

Recommendations Upgrade to version 3.5.6.3 or later.