The JetFormBuilder plugin for WordPress, widely used for dynamic form creation, contains an absolute path traversal vulnerability identified as CVE-2026-4373. This vulnerability exists in all versions up to and including 3.5.6.2 due to improper validation in the 'Uploaded_File::set_from_array' method. This method accepts file paths from the Media Field preset JSON payload without ensuring the paths are confined to the WordPress uploads directory. Additionally, the 'File_Tools::is_same_file' function performs an insufficient check by comparing only the basenames of files, failing to detect path traversal attempts. An attacker can exploit this by crafting a form submission that includes a malicious file path, causing the plugin to attach arbitrary local files to emails sent by the form's Send Email action. This attack vector requires no authentication or user interaction, making it highly accessible to remote attackers. The vulnerability primarily impacts confidentiality, allowing exfiltration of sensitive server files such as configuration files, credentials, or other private data. While no public exploits have been observed yet, the ease of exploitation and potential data exposure warrant urgent attention. The vulnerability is classified under CWE-36 (Absolute Path Traversal), highlighting the risk of unauthorized file access through path manipulation.

The primary impact of CVE-2026-4373 is the unauthorized disclosure of sensitive local files on affected WordPress servers. Attackers can exfiltrate configuration files, database credentials, private keys, or other critical data, leading to potential further compromise of the web server or associated infrastructure. Since the vulnerability requires no authentication or user interaction, it significantly lowers the barrier for exploitation, increasing the risk of widespread attacks. Organizations relying on JetFormBuilder for form handling may face data breaches, regulatory compliance violations, and reputational damage. The confidentiality breach could enable attackers to escalate privileges, pivot within networks, or conduct targeted attacks using harvested information. Although integrity and availability are not directly impacted, the loss of confidentiality alone can have severe operational and financial consequences. The vulnerability affects all installations using vulnerable versions of the plugin, which may be prevalent in small to medium businesses and enterprises using WordPress for customer engagement or data collection.

To mitigate CVE-2026-4373, organizations should immediately update the JetFormBuilder plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators can implement the following measures: 1) Disable or remove any forms configured with Media Field presets combined with Send Email actions that attach files until the plugin is updated. 2) Restrict file system permissions to limit the web server's access to sensitive directories outside the uploads folder, minimizing the impact of path traversal. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious form submissions containing path traversal patterns (e.g., '../'). 4) Monitor outgoing emails for unexpected attachments that could indicate exploitation attempts. 5) Conduct regular audits of plugin usage and remove unused or unnecessary plugins to reduce the attack surface. 6) Implement strict input validation and sanitization at the application level if customization is possible. These steps, combined with timely patching, will reduce the risk of exploitation and data leakage.