CVE-2025-11991
JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form GenerationThe JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
We have discovered 3,086 live websites that are affected by CVE-2025-11991.
Affected Software
| Product |  Jetformbuilder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 3,086 live websites (54% of Jetformbuilder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 55 versions ( 90% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Dec 16, 2025
- Updated - Apr 8, 2026
Credits
- Tri Firdyanto (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11991 United States | 593 websites |
 Germany | 309 websites |
 Brazil | 248 websites |
 France | 165 websites |
 Netherlands | 162 websites |
 Spain | 141 websites |
 Bulgaria | 113 websites |
 GB | 105 websites |
 Canada | 85 websites |
 Italy | 84 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11991| .com | 1,088 websites |
| .com.br | 203 websites |
| .de | 170 websites |
| .nl | 134 websites |
| .org | 127 websites |
| .fr | 72 websites |
| .it | 67 websites |
| .es | 56 websites |
| .ca | 52 websites |
| .ch | 51 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11991
Top websites that are affected by CVE-2025-11991. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *****.org | United States | **,*** | |
| ****.********.edu | United States | **,*** | |
| ****.com |  Malta | ***,*** | |
| *******.com |  Cyprus | ***,*** | |
| ***************.com | United States | ***,*** | |
| *******************.de | Germany | ***,*** | |
| **************.org | United States | ***,*** | |
| *************.com | Canada | ***,*** |
FAQ
CVE-2025-11991 is Missing Authorization in Jetformbuilder
A total of 3,086 websites have been identified as vulnerable to CVE-2025-11991, based on global website indexing conducted by WebTechSurvey.
The Jetformbuilder is affected by the CVE-2025-11991 vulnerability.
Jetformbuilder versions up to and including 3.5.3 are vulnerable to CVE-2025-11991.