A critical code injection vulnerability in the JetFormBuilder WordPress plugin allows unauthenticated attackers to execute arbitrary code on the server, leading to a complete site takeover.

The vulnerability is a Code Injection flaw within the jetformbuilder component. The plugin fails to properly sanitize inputs that are later used in the generation of executable code, allowing an unauthenticated attacker to inject and run malicious PHP scripts.

Successful exploitation allows for Remote Code Execution (RCE), giving the attacker the same permissions as the web server. This can lead to the theft of sensitive customer data, deployment of malware, and total loss of site availability. The CVSS score of 9.9 indicates an extreme risk level.

Immediate Action: Update JetFormBuilder to version 3.5.7 or higher immediately to patch the code injection entry points.

Proactive Monitoring: Review web logs for unusual POST requests to form-processing endpoints that contain PHP code fragments or obfuscated strings.

Compensating Controls: Implement strict file integrity monitoring (FIM) to detect any unauthorized changes to the WordPress core or plugin files.

Public Exploit Available: No

Given the CVSS score of 9.9, this vulnerability is critical. We recommend an immediate update of the JetFormBuilder plugin. Administrators should also review their WordPress security posture to ensure that unauthenticated code execution is mitigated by layered defenses.