CVE-2018-25352

HIGH

WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25352. PoCs published by defensecode.

AI-analyzed exploit summary This is a technical writeup detailing a SQL injection vulnerability in the WordPress Ultimate Form Builder Lite plugin. It identifies the vulnerable function ($wpdb->get_row()), the vulnerable variable ($_POST['entry_id']), and the attack vector via a crafted POST request to admin-ajax.php.

Description

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.

Exploits (1)

exploitdb WRITEUP

by defensecode · textwebappsphp

https://www.exploit-db.com/exploits/44884

View Code ZIP pw:eip

This is a technical writeup detailing a SQL injection vulnerability in the WordPress Ultimate Form Builder Lite plugin. It identifies the vulnerable function ($wpdb->get_row()), the vulnerable variable ($_POST['entry_id']), and the attack vector via a crafted POST request to admin-ajax.php.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Ultimate Form Builder Lite plugin < 1.3.7

Auth required

Prerequisites: WordPress admin or privileged user access · Plugin version < 1.3.7

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 24, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-id

Exploit exploit

ExploitDB-44884

https://www.exploit-db.com/exploits/44884

Vendor Advisory vendor-advisory

Vulnerability Advisory

http://vulnerablesite.com/wp-admin/admin-ajax.php

Scores

CVSS v3 7.1

EPSS 0.0027

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

ultimate-form-builder-lite/Ultimate Form Builder Lite < 1.3.7

Published May 23, 2026

Tracked Since May 24, 2026