Zero Day Vulnerability Fixed in Ultimate Form Builder Lite
Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit.
While analyzing our attack data, we recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin by AccessPress Themes. The plugin has 50,000 active installations according to WordPress.org.
The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.
We notified the plugin’s author on October 13th, when we found the problem. We also deployed firewall rules on October 13th to protect Wordfence Premium customers, within an hour of discovering the issue and notifying the author.
The author has fixed this vulnerability in an update, version 1.3.7, which was released yesterday, October 23rd.
CVSS Score: 9.8 (Critical)
What To Do
We published a firewall rule to block this exploit within an hour of finding it, on October 13. If you are running the Premium version of Wordfence and have the firewall enabled, this rule is already protecting you.
Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running this plugin should update to version 1.3.7 immediately. This firewall rule will become available to free Wordfence users on November 12th.