What is GHSA-w23w-xj2v-xjfj?

GHSA-w23w-xj2v-xjfj is a security advisory published by GitHub Security Advisories with High severity. WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection...

Which CVE IDs does GHSA-w23w-xj2v-xjfj cover?

GHSA-w23w-xj2v-xjfj covers the following CVE IDs: CVE-2018-25352. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-w23w-xj2v-xjfj?

GHSA-w23w-xj2v-xjfj has a CVSS v3 base score of 7.1, published by GitHub Security Advisories.

GHSA-w23w-xj2v-xjfjHighCVSS 7.1

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2018-25352 →

📋 Description

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2018-25352
https://www.exploit-db.com/exploits/44884
https://www.vulncheck.com/advisories/wordpress-ultimate-form-builder-lite-sql-injection-via-entry-id
http://vulnerablesite.com/wp-admin/admin-ajax.php
https://github.com/advisories/GHSA-w23w-xj2v-xjfj