WordPress Plugin Ultimate Form Builder Lite Zero Day Vulnerability Fixed

Last month, Wordfence identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. After that they deployed new and improved firewall rules to block that kind of exploit.

Wordfence while analyzing their attack data, recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin by AccessPress Themes. The plugin has 50,000 active installations according to WordPress.org.

The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.

Wordfence notified to plugin’s author on October 13th, when they found the problem. They also deployed firewall rules on October 13th to protect Wordfence Premium customers, within an hour of discovering the issue and notifying the author.

The author has fixed this vulnerability in an update, version 1.3.7, which was released yesterday, October 23rd.

CVSS Score: 9.8 (Critical)

What To Do

Wordfence published a firewall rule to block this exploit within an hour of finding it, on October 13. If you are running the Premium version of Wordfence and have the firewall enabled, this rule is already protecting you.

Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running this plugin should update to version 1.3.7 immediately. This firewall rule will become available to free Wordfence users on November 12th.

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

Subscribe our Youtube Channel

1 thought on “WordPress Plugin Ultimate Form Builder Lite Zero Day Vulnerability Fixed”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome to Defenx Solution

If you need any info or details please do connect with us through any medium below. We will try to get in touch with you as early as possible.

Contact Form

or reach me via these social channels

Contact Us