CVE-2025-64384
Description
Missing Authorization vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetFormBuilder: from n/a through <= 3.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JetFormBuilder WordPress plugin <=3.5.3 has a missing authorization vulnerability allowing unauthenticated access to privileged actions, potentially exploited in mass campaigns.
The JetFormBuilder plugin for WordPress, versions up to and including 3.5.3, contains a missing authorization vulnerability. This flaw stems from the plugin's failure to properly enforce access control checks, allowing exploitation of incorrectly configured access control security levels [1].
Attackers can exploit this vulnerability without requiring authentication, as it is a broken access control issue. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites, regardless of their traffic size or popularity [1].
Successful exploitation enables an unprivileged user to execute higher privileged actions, potentially leading to unauthorized access or modification of site data. The CVSS v3 score is 5.3 (Medium), reflecting the moderate impact and ease of exploitation [1].
To mitigate the risk, users should update the JetFormBuilder plugin to version 3.5.4 or later. Patchstack users can enable auto-update for vulnerable plugins. Although the severity is considered low, immediate patching is recommended to prevent potential compromise [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.