Description
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.
Published: 2026-05-23
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated attacker to inject arbitrary SQL through the entry_id POST parameter in the admin-ajax.php endpoint. The injection is possible when the plugin action ufbl_get_entry_detail_action is called, enabling the attacker to read, modify, or potentially elevate privileges within the WordPress database. This is a classic SQL injection flaw (CWE‑89), which directly jeopardizes confidentiality, integrity, and availability of the data stored by the plugin, as an intruder could exfiltrate sensitive information or alter database content.

Affected Systems

Any WordPress site running Ultimate Form Builder Lite version 1.3.7 or earlier is affected. The plugin is distributed under the vendor accesspressthemes and commonly used on WordPress installations that manage form entries or submissions.

Risk and Exploitability

The CVSS score for this issue is 7.1, indicating a high severity. No EPSS score is currently available, so the exploitation probability is not quantified, and it is not listed in the CISA KEV catalog. Attackers must be authenticated and have permission to send POST requests to admin-ajax.php, which is a common path for legitimate WordPress administrative activity. The attack vector is inferred to be local network or web-based, as it relies on the request structure of the plugin’s AJAX endpoint.

Generated by OpenCVE AI on May 23, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Form Builder Lite to a version newer than 1.3.7 to eliminate the vulnerable entry_id processing.
  • If an upgrade cannot be performed, completely remove the plugin or replace it with a secure alternative to eliminate the injection surface.
  • Restrict administrative access by enforcing role‑based permissions and limiting which accounts may send POST requests to admin-ajax.php.

Generated by OpenCVE AI on May 23, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.
Title WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id
First Time appeared Accesspressthemes
Accesspressthemes ultimate-form-builder-lite
Weaknesses CWE-89
CPEs cpe:2.3:a:accesspressthemes:ultimate-form-builder-lite:*:*:*:*:*:wordpress:*:*
Vendors & Products Accesspressthemes
Accesspressthemes ultimate-form-builder-lite
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Accesspressthemes Ultimate-form-builder-lite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:52.705Z

Reserved: 2026-05-23T15:40:32.389Z

Link: CVE-2018-25352

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T20:30:26Z

Weaknesses