CVE-2024-7291
JetFormBuilder <= 3.3.4.1 - Authenticated (Administrator+) Privilege EscalationThe JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.
We have discovered 2,180 live websites that are affected by CVE-2024-7291.
Affected Software
| Product |  Jetformbuilder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 2,180 live websites (38% of Jetformbuilder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 36 versions ( 59% of all versions) |
Common Weakness Enumeration
CWE-269 Improper Privilege ManagementDetails
- Published - Aug 3, 2024
- Updated - Apr 8, 2026
Credits
- István Márton (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-7291 United States | 429 websites |
 Germany | 219 websites |
 Brazil | 207 websites |
 Netherlands | 118 websites |
 France | 117 websites |
 Spain | 94 websites |
 GB | 75 websites |
 Bulgaria | 70 websites |
 Canada | 56 websites |
 Belgium | 51 websites |
Website Distribution by TLD
Number of websites using CVE-2024-7291| .com | 743 websites |
| .com.br | 167 websites |
| .de | 126 websites |
| .org | 102 websites |
| .nl | 99 websites |
| .fr | 53 websites |
| .ch | 42 websites |
| .it | 40 websites |
| .at | 39 websites |
| .co.uk | 36 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-7291
Top websites that are affected by CVE-2024-7291. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *****.org | United States | **,*** | |
| ****.********.edu | United States | **,*** | |
| *******.com |  Cyprus | ***,*** | |
| *******************.de | Germany | ***,*** | |
| **************.org | United States | ***,*** | |
| *************.com | Canada | ***,*** | |
| ***********.eu |  Portugal | ***,*** | |
| ***********************.fr | France | ***,*** |
FAQ
CVE-2024-7291 is Improper Privilege Management in Jetformbuilder
A total of 2,180 websites have been identified as vulnerable to CVE-2024-7291, based on global website indexing conducted by WebTechSurvey.
The Jetformbuilder is affected by the CVE-2024-7291 vulnerability.
Jetformbuilder versions up to and including 3.3.4.1 are vulnerable to CVE-2024-7291.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8ea1c2-7c6e-43b3-97ca-a06438d51d11?source=cve
- https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/types/register-user.php#L220
- https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/methods/update-user/user-meta-property.php#L23