PatchSiren

ultimate-form-builder-lite CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ultimate-form-builder-lite CVE published 2026-05-23

CVE-2018-25352

CVE-2018-25352 documents an authenticated SQL injection vulnerability in WordPress Ultimate Form Builder Lite plugin versions 1.3.7 and below. The flaw exists in the `entry_id` POST parameter processed through the `ufbl_get_entry_detail_action` action handler at `admin-ajax.php`. Authenticated attackers can inject SQL code to extract, modify, or escalate privileges within the WordPress database. The vulne [truncated]