CVE-2018-25352

HIGH 7.1

WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

7th

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.

CWE	CWE-89
Vendor	ultimate-form-builder-lite
Product	ultimate form builder lite
Published	May 23, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for ultimate-form-builder-lite ultimate form builder lite

Be the first to know when new high vulnerabilities affecting ultimate-form-builder-lite ultimate form builder lite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

ultimate-form-builder-lite / Ultimate Form Builder Lite

0 ≤ 1.3.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/44884 vulnerablesite.com: http://vulnerablesite.com/wp-admin/admin-ajax.php vulncheck.com: https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-id

Credits

defensecode