CVE-2018-25352

Name of the Vulnerable Software and Affected Versions WordPress Ultimate Form Builder Lite versions prior to 1.3.8

Description Authenticated attackers can manipulate database queries by injecting SQL code through the entry id POST parameter. This is achieved by sending POST requests to the 'admin-ajax.php' endpoint using the ufbl get entry detail action action, which may allow the extraction of data, modification of records, or privilege escalation within the WordPress database.

Recommendations Update to a version later than 1.3.7. As a temporary workaround, restrict access to the 'admin-ajax.php' endpoint or avoid using the entry id parameter until the update is applied.