CyberSec.Space Logo
Back to CVE Browser

CVE-2018-25352

HIGH
7.1
CVSS Severity Score
EPSS Score0.1250%
EPSS Percentile13.38th
PublishedMay 23, 2026
Last ModifiedMay 26, 2026

Vulnerability Description

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 http://vulnerablesite.com/wp-admin/admin-ajax.php
🔗 https://www.exploit-db.com/exploits/44884
🔗 https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-id

Related Vulnerabilities

CVE-2018-422910.0

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Grand Central Dispatc...

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...

CVE-2018-487210.0

An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006...

CVE-2018-666710.0

Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remo...