CVE-2026-54195: WordPress JetFormBuilder plugin <= 3.6.0.1 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0.1 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability exists in the JetFormBuilder WordPress plugin at version 3.6.0.1 and earlier. The flaw is reachable over the network with no authentication required, but does require a victim to interact with a crafted link or page. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially reading session data, modifying page content, and disrupting the victim's experience. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-54195 is available across every HarborGuard environment, with ingestion from upstream advisory feeds including Patchstack occurring within minutes of publication and automatic matching against customer images in registries and CI pipelines. Coverage extends to custom-built images that bundle the JetFormBuilder plugin, not just official upstream images.
AvailableHarborGuard is capable of scoring this CVE at 7.1 HIGH (CVSS v3.1) and weighting findings against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetmonsters ships a remediated release. In the interim, per-environment compensating controls such as network-policy isolation and web-application-firewall rule recommendations are surfaced in the HarborGuard findings detail.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS.
- AuthenticationNot required
No account or credentials are needed; the attack can be launched by any unauthenticated party who can send a request to the affected plugin.
- Victim interactionRequired
A victim (typically a site visitor or administrator) must follow a crafted link or load a page containing the malicious payload for the script to execute.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors to succeed.
Blast Radius
- Reads session cookies or authentication tokens belonging to the victim user, which can be exfiltrated to an attacker-controlled server.
- Modifies visible page content in the victim's browser session, enabling phishing overlays or credential-harvesting forms.
- Disrupts the victim's interaction with the affected WordPress site by injecting scripts that alter or break page behavior.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix currently exists. Where images bundle JetFormBuilder at an affected version, the finding is raised at HIGH severity and routed per each environment's compliance policy. HarborGuard surfaces compensating-control recommendations including network-policy restrictions to limit exposure of the WordPress endpoint and web-application-firewall rule suggestions to block common XSS payload patterns. The moment Jetmonsters publishes a patched release, a rebuilt image at the fix version becomes available; for customers who opt into auto-remediation, that rebuild is followed by a regression-test run and a PR opened against affected workloads automatically.
- Jetmonsters / JetFormBuilder≤ 3.6.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L