[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fThhMvEUfbjbPaKyYCa2KVGQAlp7_xxMapqp_9Fet6GU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-54196","jetformbuilder-dynamic-blocks-form-builder-authenticated-subscriber-privilege-escalation","JetFormBuilder — Dynamic Blocks Form Builder \u003C= 3.6.1 - Authenticated (Subscriber+) Privilege Escalation","The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges.","jetformbuilder",null,"\u003C=3.6.1","3.6.1.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-06-16 00:00:00","2026-06-25 14:35:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F36e83a33-63e7-4282-9b3c-282bd21830b7?source=api-prod",10,[22,23,24,25,26,27,28,29],"assets\u002Fbuild\u002Fadmin\u002Fpackage.asset.php","assets\u002Fbuild\u002Fadmin\u002Fpackage.js","assets\u002Fbuild\u002Fadmin\u002Fpages\u002Fjfb-settings.asset.php","assets\u002Fbuild\u002Fadmin\u002Fpages\u002Fjfb-settings.js","assets\u002Fbuild\u002Feditor\u002Fform.builder.asset.php","assets\u002Fbuild\u002Feditor\u002Fform.builder.js","assets\u002Fbuild\u002Feditor\u002Fpackage.asset.php","assets\u002Fbuild\u002Feditor\u002Fpackage.js","researched",false,3,"This exploitation research plan focuses on **CVE-2026-54196**, a Privilege Escalation vulnerability in the **JetFormBuilder** plugin. Given the vulnerability type (\"Incorrect Privilege Assignment\") and the requirement of \"Subscriber+\" authentication, the flaw likely resides in the plugin's handling of \"Post-Submit Actions,\" specifically those related to user updates or registration.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated Privilege Escalation via Post-Submit Actions.\n*   **Location:** Likely within the PHP classes responsible for processing form submissions and executing \"Update User\" or \"Register User\" actions (e.g., `includes\u002Factions\u002Ftypes\u002Fupdate-user.php` or similar, inferred from plugin architecture).\n*   **Root Cause:** The plugin fails to validate or restrict the specific user fields (like `role` or `wp_capabilities`) that a low-privileged user can update when submitting a form configured with a user-related action. An attacker can inject parameters into the form submission request to modify their own account's role to \"administrator.\"\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** \n    *   **REST API:** `\u002Fwp-json\u002Fjet-form-builder\u002Fv1\u002Fsubmit-form` (Default REST endpoint for JFB).\n    *   **AJAX:** `admin-ajax.php` with action `jet_form_builder_submit`.\n*   **Payload Parameter:** Form field values passed in the `values` array (REST) or as POST parameters (AJAX). Specifically, injecting a key mapped to the WordPress user role.\n*   **Authentication:** Authenticated as a Subscriber or any low-level user.\n*   **Preconditions:** A form must exist that uses the \"Update User\" post-submit action.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** User submits a form via the frontend.\n2.  **Handler:** `Jet_Form_Builder\\Form_Handler::handle_form_submission()` receives the request.\n3.  **Action Execution:** The handler identifies the \"Update User\" action associated with the form.\n4.  **Field Mapping:** The plugin maps submitted form field values to WordPress user object fields (e.g., `user_email`, `first_name`, `role`).\n5.  **Vulnerable Sink:** The mapped data is passed to `wp_update_user()` or `update_user_meta()`.\n6.  **Failure:** The plugin does not check if the current user has the `promote_users` capability before allowing the `role` field to be updated via the form submission.\n\n### 4. Nonce Acquisition Strategy\nJetFormBuilder enqueues nonces and form data via `wp_localize_script`.\n\n**Strategy:**\n1.  Identify a page containing a JetFormBuilder form.\n2.  Navigate to the page using `browser_navigate`.\n3.  Extract the nonce and form ID using `browser_eval`.\n\n**Actionable Identifiers:**\n*   **Global JS Object:** `JetFormBuilderSettings` (common in JFB).\n*   **Nonce Key:** `nonce` or `_wpnonce`.\n*   **Extraction Script:**\n    ```javascript\n    \u002F\u002F To get the submission nonce\n    window.JetFormBuilderSettings?.nonce;\n    \u002F\u002F To get form-specific data\n    window.JetFormBuilderSettings?.forms?.[FORM_ID];\n    ```\n\n### 5. Exploitation Strategy\n\n#### Step 1: Form Identification\nCreate or identify a form that has an **\"Update User\"** action. In JFB, this action allows updating the profile of the current user.\n\n#### Step 2: Request Construction\nThe attacker submits a request to the submission endpoint, injecting a parameter that the backend maps to the user role.\n\n**HTTP Request (Example via REST):**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fjet-form-builder\u002Fv1\u002Fsubmit-form`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [Extracted Nonce]`\n*   **Payload:**\n    ```json\n    {\n      \"form_id\": 123,\n      \"fields\": {\n        \"user_email\": \"subscriber@example.com\",\n        \"role\": \"administrator\" \n      },\n      \"context\": \"frontend\"\n    }\n    ```\n    *Note: The actual key might be `user_role`, `role`, or a custom field ID mapped to the role in the form settings.*\n\n### 6. Test Data Setup\n1.  **Admin Setup:**\n    *   Create a Form (ID: `1337`).\n    *   Add a Post-Submit Action: \"Update User\".\n    *   In the action settings, map a form field (e.g., a hidden field or text field) to the User \"Role\".\n2.  **Attacker Setup:**\n    *   Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n3.  **Page Setup:**\n    *   Create a page displaying the form: `wp post create --post_type=page --post_status=publish --post_content='[jet_form_builder form_id=\"1337\"]'`.\n\n### 7. Expected Results\n*   **Response:** The API should return a success message (e.g., `{\"status\":\"success\",\"message\":\"Form successfully submitted\"}`).\n*   **Result:** The \"attacker\" user's role in the database is changed from `subscriber` to `administrator`.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the role change via WP-CLI:\n```bash\nwp user get attacker --field=roles\n```\n*Successful output:* `administrator`\n\n### 9. Alternative Approaches\n*   **Hidden Field Injection:** If the role field isn't explicitly in the form, try adding it to the `fields` object in the JSON payload anyway. Many builders use a loop to process all submitted data against a whitelist that might inadvertently include `role`.\n*   **Meta Injection:** If the role cannot be changed directly, check if `wp_capabilities` (user meta) can be updated via the \"Update User\" action.\n    *   **Key:** `wp_capabilities`\n    *   **Value:** `a:1:{s:13:\"administrator\";b:1;}` (serialized).\n*   **AJAX Endpoint:** If the REST API is restricted, use the AJAX fallback:\n    *   `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n    *   `action=jet_form_builder_submit&_wpnonce=[NONCE]&form_id=1337&role=administrator`","The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in versions up to 3.6.1. This flaw allows authenticated attackers with subscriber-level access to elevate their account privileges to administrator by exploiting insufficient validation in the 'Update User' post-submit action.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.asset.php\t2026-05-27 10:17:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.asset.php\t2026-06-09 12:15:44.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('wp-i18n'), 'version' => '94ba9a9d32ea506460c6');\n+\u003C?php return array('dependencies' => array('wp-i18n'), 'version' => 'cd879d1903e305e67f49');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.js\t2026-05-27 10:17:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjetformbuilder\u002F3.6.1.1\u002Fassets\u002Fbuild\u002Fadmin\u002Fpackage.js\t2026-06-09 12:15:44.000000000 +0000\n@@ -1 +1 @@\n-(()=>{var t={2373(t,e,i) ... (truncated)","To exploit this vulnerability, an attacker authenticated as a Subscriber or higher must identify a form that utilizes the 'Update User' post-submit action. By extracting a valid submission nonce from the frontend (often found in the `JetFormBuilderSettings` global JS object), the attacker can send a POST request to the `\u002Fwp-json\u002Fjet-form-builder\u002Fv1\u002Fsubmit-form` REST endpoint. The payload is crafted to include an injected field, such as 'role' or 'user_role', set to 'administrator'. Because the plugin's backend handler fails to verify the current user's capability (like `promote_users`) before updating the user profile via `wp_update_user`, the attacker's account role is changed to administrator upon successful submission.","gemini-3-flash-preview","2026-06-25 23:11:51","2026-06-25 23:12:49",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.6.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjetformbuilder\u002Ftags\u002F3.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjetformbuilder.3.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjetformbuilder\u002Ftags\u002F3.6.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjetformbuilder.3.6.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjetformbuilder\u002Ftags"]