WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

Vulnerability

WordPress Ultimate Form Builder Lite plugin versions 1.3.7 and below contain an SQL injection vulnerability in the ufbl_get_entry_detail_action AJAX action. The entry_id POST parameter is passed unsanitized into a $wpdb->get_row() query, allowing authenticated attackers to inject arbitrary SQL. The vulnerable endpoint is wp-admin/admin-ajax.php [1][2].

Exploitation

An attacker must be authenticated with any WordPress user role that can access the plugin settings page (e.g., administrator or a user with plugin access). The attack sends a POST request to admin-ajax.php with action=ufbl_get_entry_detail_action, _wpnonce (valid nonce), and a malicious entry_id value. The injected SQL is executed directly against the WordPress database [1].

Impact

Successful exploitation allows the attacker to read, modify, or delete arbitrary database content, including user tables and options. This can lead to privilege escalation (e.g., creating new admin users), data extraction (e.g., password hashes, sensitive content), or other unauthorized actions depending on the injected query [1][2].

Mitigation

The vulnerability is fixed in version 1.3.8 or later of the Ultimate Form Builder Lite plugin. Users should update immediately. No workaround is available if the plugin cannot be updated. The plugin may be at end-of-life (EOL) status; verify with the vendor [1][2].