JetFormBuilder WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

A path traversal vulnerability allowing arbitrary file read has been identified in the JetFormBuilder plugin for WordPress, affecting all versions through 3.5.6.2. The issue arises because the 'Uploaded_File::set_from_array' method accepts user-supplied file paths from the Media Field preset JSON payload without proper validation to ensure the paths are within the WordPress uploads directory. This vulnerability is compounded by a flawed same-file check in 'File_Tools::is_same_file', which only compares file basenames. As a result, unauthenticated attackers can exploit this vulnerability to exfiltrate arbitrary local files as email attachments. This is achieved by sending a crafted form request with a Media Field and a Send Email action that includes file attachments.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with the potential to exfiltrate sensitive files as email attachments.

Reproduction

To reproduce this vulnerability, create a form using the JetFormBuilder plugin version 3.5.6.2 or earlier. Add a Media Field and configure the form to send email with file attachments. When the form is submitted, the vulnerability can be exploited by including a crafted file path that traverses the directory structure to access arbitrary files outside the intended directory.

Remediation

Users are advised to update the JetFormBuilder plugin to version 3.5.6.3 or later, where this vulnerability has been patched.

Added: Mar 21, 2026, 7:20 AM
Updated: Mar 21, 2026, 7:20 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
9.3
remediation
7.7
relevance
2.8
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.