WordPress Plugin Ultimate Form Builder Lite Zero Day Vulnerability Fixed

October 24, 2017 Arrunadayy Koul 1 comment

Do not have time to read full article and want this article in PDF format in your email.

Enter your Email Address

Last month, Wordfence identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. After that they deployed new and improved firewall rules to block that kind of exploit.

Wordfence while analyzing their attack data, recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin by AccessPress Themes. The plugin has 50,000 active installations according to WordPress.org.

The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.

Wordfence notified to plugin’s author on October 13th, when they found the problem. They also deployed firewall rules on October 13th to protect Wordfence Premium customers, within an hour of discovering the issue and notifying the author.

The author has fixed this vulnerability in an update, version 1.3.7, which was released yesterday, October 23rd.

CVSS Score: 9.8 (Critical)

What To Do

Wordfence published a firewall rule to block this exploit within an hour of finding it, on October 13. If you are running the Premium version of Wordfence and have the firewall enabled, this rule is already protecting you.

Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running this plugin should update to version 1.3.7 immediately. This firewall rule will become available to free Wordfence users on November 12th.

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

Subscribe our Youtube Channel

1 Comment on “WordPress Plugin Ultimate Form Builder Lite Zero Day Vulnerability Fixed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.