CVE-2025-11991 identifies a missing authorization vulnerability (CWE-862) in the JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress, versions up to and including 3.5.3. The vulnerability arises because the run_callback function does not perform proper capability checks before allowing form generation via AI. This omission permits unauthenticated attackers to invoke this function, enabling them to create forms dynamically without any access restrictions. The primary consequence is unauthorized modification of data and consumption of the site's AI usage limits, which could lead to resource exhaustion or denial of service conditions indirectly. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on integrity but no confidentiality or availability impact. No patches or known exploits are currently available, indicating the vulnerability is newly disclosed. The plugin is widely used in WordPress environments for dynamic form creation, often leveraging AI features to enhance user experience. The lack of authorization checks represents a significant security oversight, as it allows attackers to abuse AI resources and potentially disrupt normal site operations. Organizations relying on this plugin should prioritize mitigation to prevent unauthorized form generation and resource abuse.

For European organizations, this vulnerability poses a risk primarily to the integrity of their web applications and the availability of AI resources integrated into their WordPress sites. Unauthorized form generation can lead to excessive consumption of AI usage limits, potentially degrading service quality or causing additional costs due to overuse. While there is no direct impact on confidentiality or availability, the indirect effects could disrupt business processes relying on AI-driven forms, such as customer interactions, data collection, and automated workflows. Organizations in sectors with high reliance on dynamic web forms and AI, including e-commerce, public services, and digital marketing, may experience operational disruptions. Additionally, the vulnerability could be exploited as part of a larger attack chain to facilitate further compromise or data manipulation. Given the ease of exploitation without authentication or user interaction, the threat level is elevated for any European entity using the affected plugin, especially those with high traffic or sensitive data processing through forms.

1. Immediately audit WordPress sites to identify installations of JetFormBuilder — Dynamic Blocks Form Builder plugin, particularly versions up to 3.5.3. 2. Temporarily disable or uninstall the plugin if AI form generation is not critical to operations until an official patch is released. 3. Implement custom authorization checks on the run_callback function by modifying the plugin code or using WordPress hooks to restrict access to authenticated and authorized users only. 4. Monitor AI usage metrics closely to detect unusual spikes that may indicate exploitation attempts. 5. Employ web application firewalls (WAF) with custom rules to block unauthorized requests targeting the vulnerable function endpoints. 6. Keep WordPress core, themes, and other plugins updated to reduce the attack surface. 7. Engage with the plugin vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Educate site administrators about the risks of unauthorized plugin usage and the importance of access controls for dynamic content generation features.