← volver
CVE-2018-25352

WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

CVSS 7.1 HIGHEPSS 0.2%CWE-89
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
ultimate-form-builder-lite · Ultimate Form Builder Lite

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://www.exploit-db.com/exploits/44884https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-idhttp://vulnerablesite.com/wp-admin/admin-ajax.php