# Title: WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection# Author: defensecode# Date: 2018-06-12# Software: WordPress Ultimate Form Builder Lite plugin# Version: 1.3.7 and below# The easiest way to reproduce the SQL injection vulnerability is to# visit the provided URL while being logged in as administrator or# another user that is authorized to access the plugin settings page.# Users that do not have full administrative privileges could abuse the# database access the vulnerability provides to either escalate their# privileges or obtain and modify database contents they were not# supposed to be able to.# SQL injection# Vulnerable Function:$wpdb->get_row()# Vulnerable Variable:$_POST['entry_id']# Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php# Vulnerable POST body:
entry_id=ExploitCodeHere&_wpnonce=xxx&action=ufbl_get_entry_detail_action
# Disclosure Timeline# 2018/06/01 Vulnerabilities discovered# 2018/06/06 Vendor contacted# 2018/06/08 Vendor responded# 2018/06/12 Advisory released to the public
