CVE-2025-11991 identifies a missing authorization vulnerability (CWE-862) in the JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress, present in all versions up to and including 3.5.3. The flaw exists in the run_callback function, which lacks proper capability checks, enabling unauthenticated attackers to invoke this function and generate forms dynamically using AI features integrated into the plugin. This unauthorized access allows attackers to consume the site's AI usage limits, potentially leading to resource exhaustion or denial of service conditions related to AI service quotas. The vulnerability does not expose confidential data nor directly impact system availability but compromises data integrity by permitting unauthorized data modification. The CVSS 3.1 score of 5.3 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and unchanged scope (S:U). No known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin, which is widely used in WordPress environments for form building with AI capabilities. The lack of authorization checks is a critical security oversight that can be exploited remotely without authentication, emphasizing the need for immediate remediation. The vulnerability was reserved in October 2025 and published in December 2025, indicating recent discovery and disclosure.

The primary impact of CVE-2025-11991 is unauthorized modification of data within the JetFormBuilder plugin, specifically the ability to generate forms using AI without proper authorization. This can lead to abuse of AI usage limits, potentially causing resource exhaustion or degraded performance of the affected WordPress site. While confidentiality and availability are not directly compromised, the integrity of the site's data and form configurations can be altered by attackers. Organizations relying on AI-driven form generation may face increased operational costs or service disruptions due to excessive AI resource consumption. Additionally, attackers could leverage this vulnerability to conduct further attacks or abuse site functionalities, undermining trust and user experience. The vulnerability's ease of exploitation without authentication increases the risk of widespread abuse, especially on publicly accessible WordPress sites using the vulnerable plugin. The absence of known exploits in the wild currently limits immediate widespread impact, but the potential for future exploitation remains significant.

To mitigate CVE-2025-11991, organizations should immediately update the JetFormBuilder — Dynamic Blocks Form Builder plugin to a version that includes proper authorization checks once available from the vendor. Until a patch is released, administrators should consider disabling the AI form generation features or the plugin entirely if feasible. Implementing web application firewall (WAF) rules to detect and block unauthorized requests targeting the run_callback function can reduce exploitation risk. Monitoring AI usage metrics closely for unusual spikes can help identify ongoing abuse. Restricting access to the plugin’s endpoints via IP whitelisting or authentication proxies may provide temporary protection. Additionally, reviewing and tightening WordPress user roles and permissions related to form management can limit potential damage. Regular backups of form configurations and site data will aid recovery if unauthorized modifications occur. Finally, organizations should stay informed about vendor advisories and apply patches promptly once released.