CVE-2025-11991
📋 TL;DR
This vulnerability allows unauthenticated attackers to abuse the JetFormBuilder WordPress plugin's AI form generation feature, consuming the site's AI usage limits without authorization. All WordPress sites using JetFormBuilder versions up to 3.5.3 are affected.
💻 Affected Systems
- JetFormBuilder — Dynamic Blocks Form Builder WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete depletion of AI service credits leading to unexpected costs and disruption of legitimate AI-powered form generation functionality.
Likely Case
Unauthorized consumption of AI usage quotas, potentially exhausting allocated limits and disrupting normal form generation operations.
If Mitigated
Minimal impact if AI usage limits are monitored and controlled, though unauthorized access remains possible.
🎯 Exploit Status
Exploitation requires sending crafted requests to the vulnerable REST API endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find JetFormBuilder and click 'Update Now'. 4. Verify version is 3.5.4 or higher.
🔧 Temporary Workarounds
Disable AI Module
allTemporarily disable the AI form generation feature to prevent exploitation.
Restrict REST API Access
allUse web application firewall rules to block unauthorized access to the vulnerable endpoint.
🧯 If You Can't Patch
- Disable the JetFormBuilder plugin entirely until patched
- Implement strict rate limiting on the /wp-json/jet-form-builder/ai/generate-form endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → JetFormBuilder version. If version is 3.5.3 or lower, you are vulnerable.Check Version:
wp plugin list --name=jetformbuilder --field=versionVerify Fix Applied:
After updating, confirm version is 3.5.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /wp-json/jet-form-builder/ai/generate-form from unauthenticated users
- Spikes in AI service usage without corresponding admin activity
Network Indicators:
- HTTP 200 responses from the generate-form endpoint without authentication headers
SIEM Query:
source="wordpress.log" AND uri_path="/wp-json/jet-form-builder/ai/generate-form" AND http_method=POST AND NOT user_agent="WordPress/*"