Attack Vectors

CVE-2026-4373 is a High-severity vulnerability (CVSS 7.5) affecting the JetFormBuilder — Dynamic Blocks Form Builder plugin (slug: jetformbuilder) in versions up to and including 3.5.6.2.

An unauthenticated attacker can exploit this issue remotely by submitting a crafted form request that abuses the plugin’s Media Field preset JSON payload. No login is required, and the attacker does not need user interaction, which increases the likelihood of exploitation on publicly accessible sites.

In practical terms, this can allow attackers to read arbitrary local files from the server through path traversal and have the data exfiltrated as email attachments generated by form submissions.

Security Weakness

The vulnerability stems from how JetFormBuilder handles file references provided via the Media Field preset data. Specifically, the Uploaded_File::set_from_array method accepts user-supplied file paths without validating that the referenced path is actually within the intended WordPress uploads directory.

This risk is compounded by an insufficient “same file” check in File_Tools::is_same_file that only compares basenames (the filename portion) rather than validating the full, canonical path. As a result, an attacker can point the plugin at sensitive local files on the server and bypass intended restrictions.

Because the plugin can attach files to outbound emails, the weakness creates a straightforward channel for data theft without needing administrator access.

Technical or Business Impacts

Data exposure and compliance risk: Arbitrary file read vulnerabilities can expose sensitive information stored on the web server (for example, configuration files, application secrets, or other internal files). If exposed data includes personal data, credentials, or regulated information, this can trigger incident response obligations, customer notification requirements, and potential regulatory scrutiny.

Brand and revenue impact: If attackers can systematically extract sensitive files, the result can include follow-on compromise (using discovered secrets), service disruption from remediation activities, and reputational damage that affects lead generation, customer trust, and sales pipeline.

Operational impact: Security teams may need to review email logs, form submission history, and server access logs to determine what was accessed and exfiltrated. This increases investigation time and may require external support, creating unplanned cost.

Similar attacks: Path traversal and file-read flaws are a common way attackers steal sensitive server-side data. Examples include CVE-2021-41773 (Apache HTTP Server path traversal / file disclosure) and CVE-2021-42013 (Apache HTTP Server path traversal / RCE variant).

Remediation: Update JetFormBuilder to version 3.5.6.3 or a newer patched version. You can reference the public CVE record here: CVE-2026-4373. For additional vendor analysis and context, see: Wordfence vulnerability entry.