PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25352 ultimate-form-builder-lite CVE debrief

CVE-2018-25352 documents an authenticated SQL injection vulnerability in WordPress Ultimate Form Builder Lite plugin versions 1.3.7 and below. The flaw exists in the `entry_id` POST parameter processed through the `ufbl_get_entry_detail_action` action handler at `admin-ajax.php`. Authenticated attackers can inject SQL code to extract, modify, or escalate privileges within the WordPress database. The vulnerability was published to CVE on 2026-05-23 and modified on 2026-05-26. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high confidentiality impact. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
ultimate-form-builder-lite
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-23
Original CVE updated
2026-05-26
Advisory published
2026-05-23
Advisory updated
2026-05-26

Who should care

WordPress site administrators using Ultimate Form Builder Lite plugin; security teams monitoring WordPress plugin vulnerabilities; web application firewall operators

Technical summary

The Ultimate Form Builder Lite WordPress plugin fails to properly sanitize the `entry_id` parameter in AJAX requests to `admin-ajax.php` with action `ufbl_get_entry_detail_action`. This allows authenticated users to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or privilege escalation within the WordPress database. The vulnerability affects versions 1.3.7 and below.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Ultimate Form Builder Lite plugin to a version newer than 1.3.7 if available
  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting admin-ajax.php with ufbl_get_entry_detail_action
  • Restrict access to WordPress admin-ajax.php to authorized IP ranges where possible
  • Monitor WordPress database logs for anomalous queries originating from authenticated sessions
  • Review and sanitize all user-supplied parameters in custom form builder implementations
  • Apply principle of least privilege to WordPress user accounts to limit impact of authenticated attacks

Evidence notes

SQL injection confirmed via CWE-89 classification. Attack requires authenticated access to WordPress admin-ajax.php endpoint.

Official resources

The vulnerability was disclosed via VulnCheck and documented in NVD with references to an Exploit-DB entry and a VulnCheck advisory. The vendor attribution remains uncertain with low confidence based on reference domain analysis.