Last month, Wordfence identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. After that they deployed new and improved firewall rules to block that kind of exploit.
Wordfence while analyzing their attack data, recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin by AccessPress Themes. The plugin has 50,000 active installations according to WordPress.org.
The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.
Wordfence notified to plugin’s author on October 13th, when they found the problem. They also deployed firewall rules on October 13th to protect Wordfence Premium customers, within an hour of discovering the issue and notifying the author.
The author has fixed this vulnerability in an update, version 1.3.7, which was released yesterday, October 23rd.
CVSS Score: 9.8 (Critical)
What To Do
Wordfence published a firewall rule to block this exploit within an hour of finding it, on October 13. If you are running the Premium version of Wordfence and have the firewall enabled, this rule is already protecting you.
Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running this plugin should update to version 1.3.7 immediately. This firewall rule will become available to free Wordfence users on November 12th.