– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-4373:
This vulnerability is an unauthenticated arbitrary file read in the JetFormBuilder WordPress plugin. The flaw resides in the Media Field preset functionality, allowing attackers to exfiltrate arbitrary local files as email attachments. The CVSS score of 7.5 reflects a high-severity confidentiality impact.

Atomic Edge research identifies the root cause as a combination of two insecure code paths. The `Uploaded_File::set_from_array` method in `jetformbuilder/includes/classes/resources/uploaded-file.php` directly accepted a user-supplied `file` path from a JSON payload without validation. The `File_Tools::is_same_file` method in `jetformbuilder/includes/classes/resources/file-tools.php` performed an insufficient check, comparing only file basenames. This allowed path traversal payloads to bypass the intended same-file verification.

Exploitation requires a form configured with a Media Field and a Send Email action that attaches files. An attacker submits a crafted form request containing a preset JSON payload. This payload includes a `file` parameter with a path traversal sequence pointing to a sensitive local file, such as `/etc/passwd` or `wp-config.php`. When the form processes the request, the plugin attaches the specified file to an outgoing email, enabling exfiltration.

The patch introduces a new `normalize_allowed_upload_file_path` static method in the `Uploaded_File` class. This method normalizes the file path, resolves symlinks via `realpath`, and validates that the resulting absolute path resides within the WordPress uploads directory. The patch also updates `set_from_array` and `get_attachment_file` to call this sanitizer. The `is_same_file` method now uses the sanitized `get_attachment_file` path for comparison. The `Send_Email_Action` class adds a `filter_safe_attachments` method that applies the same validation to all email attachments.

Successful exploitation leads to full local file disclosure. Attackers can read any file readable by the web server process, including WordPress configuration files, sensitive operating system files, and database credentials. This data exposure can facilitate further attacks, such as site takeover or server compromise.