CVE-2025-11991 identifies a missing authorization vulnerability (CWE-862) in the JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress, versions up to and including 3.5.3. The core issue lies in the run_callback function, which lacks proper capability checks, allowing unauthenticated attackers to invoke AI-based form generation features. This flaw enables attackers to create forms dynamically without permission, leading to unauthorized modification of data and consumption of the site's AI usage limits. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. Although it does not directly expose sensitive data or cause denial of service, the unauthorized data modification can undermine the integrity of form data and potentially disrupt normal site operations by exhausting AI resource quotas. No patches are currently linked, and no active exploits have been reported, but the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The CVSS 3.1 base score of 5.3 reflects a medium severity, emphasizing the need for timely remediation. The vulnerability highlights the importance of implementing robust authorization checks in plugin callback functions to prevent unauthorized access and abuse of site resources.

For European organizations, this vulnerability can lead to unauthorized use of AI form generation capabilities, resulting in resource exhaustion and potential disruption of legitimate site functionalities. While it does not compromise confidentiality or availability directly, the integrity of form data can be affected, potentially leading to inaccurate or maliciously altered submissions. Organizations relying on AI-driven forms for customer interaction, data collection, or automated workflows may experience degraded service quality or increased operational costs due to excessive AI usage. Additionally, attackers could leverage this flaw to conduct further attacks by injecting malicious data or manipulating form outputs. The impact is more pronounced for organizations with high traffic WordPress sites using JetFormBuilder, especially those in sectors like e-commerce, public services, or digital marketing where form integrity is critical. Failure to address this vulnerability could also damage organizational reputation and trust among users.

Immediate mitigation steps include disabling the AI form generation feature in JetFormBuilder if feasible, to prevent unauthorized use until a patch is available. Organizations should monitor AI usage metrics closely to detect unusual spikes indicative of exploitation. Implementing web application firewalls (WAF) with custom rules to block suspicious requests targeting the run_callback function can reduce exposure. Restricting access to the plugin’s endpoints by IP whitelisting or authentication proxies adds an additional security layer. Administrators should keep WordPress core and all plugins updated and subscribe to vendor advisories for patch releases. Reviewing and tightening user roles and permissions within WordPress can help limit potential abuse. Finally, conducting regular security audits and penetration testing focused on plugin vulnerabilities will improve overall resilience against similar authorization flaws.