WordPress Ultimate Form Builder Lite Plugin Vulnerability (CVE-2018-25352)

Security Alert Summary

The WordPress Ultimate Form Builder Lite plugin (version 1.3.7 and below) contains an SQL injection vulnerability that allows authenticated attackers to inject SQL via the entry_id POST parameter. Exploitation can occur by sending POST requests to admin-ajax.php with the ufbl_get_entry_detail_action action, potentially exposing or modifying data in the WordPress database.

CVE Details

• CVE ID: CVE-2018-25352
• Affected component: WordPress Ultimate Form Builder Lite plugin
• Affected versions: version 1.3.7 and below
• Published: May 23, 2026 at 7:16:55 PM
• Last modified: May 23, 2026 at 7:16:55 PM
• CVSS v3.1: Base Score 7.1, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
• Authentication / Privileges / User interaction: Requires an authenticated attacker with low privileges; no user interaction needed.
• Primary impact: Confidentiality: HIGH; Integrity: LOW; Availability: NONE
• Weakness (CWE): CWE-89 (SQL Injection)

Technical Details

The plugin contains an SQL injection vulnerability that exists in handling of the entry_id POST parameter. An authenticated attacker can supply crafted SQL via this parameter. The vulnerability is reachable through WordPresss AJAX endpoint by sending POST requests to admin-ajax.php using the ufbl_get_entry_detail_action action. Successful injection can be used to extract data from the database or modify database contents within the privileges accessible to the exploited query, as described in the advisory.

The description identifies the specific vector (the entry_id POST parameter) and the entry point (admin-ajax.php with ufbl_get_entry_detail_action). No additional functions or internal code paths are named in the provided data.

How This Could Impact Your Website

In a typical site with multiple users, an external contractor or a low-privileged contributor account could be used to trigger the vulnerable AJAX action and inject SQL. This can lead to exposure of sensitive data such as internal user email addresses or other stored information noted in the database (confidentiality impact rated HIGH). Because integrity impact is rated LOW, an attacker may be able to alter limited data returned by the vulnerable query but the vulnerability is not indicated to cause full site takeover or availability disruption.

Practical consequences include increased risk of targeted phishing or social engineering against staff whose emails or contact details are exposed, and unauthorized disclosure of form entries or other stored records. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor-level accounts and any external contractor accounts.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual AJAX requests, database errors, or unexpected data exports.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• http://vulnerablesite.com/wp-admin/admin-ajax.php
• https://www.exploit-db.com/exploits/44884
• https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-id