CVE-2026-4373
Published: 21 March 2026
Summary
CVE-2026-4373 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the path traversal flaw in JetFormBuilder by applying available patches, directly eliminating the vulnerability.
Mandates validation of user-supplied file paths from Media Field JSON payloads to ensure they remain within the WordPress uploads directory, preventing path traversal exploitation.
Enables monitoring for unauthorized disclosure of arbitrary local files exfiltrated as email attachments via crafted form submissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables unauthenticated arbitrary local file read and exfiltration via email attachment.
NVD Description
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload…
more
without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.
Deeper analysisAI
CVE-2026-4373 is a path traversal vulnerability (CWE-36) in the JetFormBuilder plugin for WordPress, affecting all versions up to and including 3.5.6.2. The issue stems from the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from Media Field preset JSON payloads without validating that the paths belong to the WordPress uploads directory. This is compounded by an insufficient same-file check in 'File_Tools::is_same_file', which only compares basenames, enabling arbitrary file reads.
Unauthenticated attackers can exploit the vulnerability by submitting a crafted form request to a JetFormBuilder form configured with a Media Field and a Send Email action that includes file attachments. Successful exploitation allows attackers to exfiltrate arbitrary local files from the server as email attachments. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility, low complexity, no privileges or user interaction required, and high confidentiality impact.
Patches addressing the vulnerability are available via changeset 3486996 in the JetFormBuilder plugin repository at https://plugins.trac.wordpress.org/changeset/3486996/jetformbuilder. Further details on the issue, including affected code locations in uploaded-file.php (line 99), send-email-action.php (line 214), and file-uploader.php (line 313), are provided in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/1801fd3e-d56f-4540-9700-9e9de8b465e1?source=cve. Security practitioners should prioritize updating affected WordPress sites running vulnerable JetFormBuilder versions.
Details
- CWE(s)