Zero Day Vulnerability Fixed in Ultimate Form Builder Lite

Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit.

While analyzing our attack data, we recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin by AccessPress Themes. The plugin has 50,000 active installations according to

The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.

We notified the plugin’s author on October 13th, when we found the problem. We also deployed firewall rules on October 13th to protect Wordfence Premium customers, within an hour of discovering the issue and notifying the author.

The author has fixed this vulnerability in an update, version 1.3.7, which was released yesterday, October 23rd.

CVSS Score: 9.8 (Critical)

What To Do

We published a firewall rule to block this exploit within an hour of finding it, on October 13. If you are running the Premium version of Wordfence and have the firewall enabled, this rule is already protecting you.

Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running this plugin should update to version 1.3.7 immediately. This firewall rule will become available to free Wordfence users on November 12th.


Did you enjoy this post? Share it!


  • Just wanted to express gratitude and appreciation to you, Brad Haas, for catching this, and to the entire Wordfence team for all that you do to keep us safe. You folks rock! ??

  • Luckily our website does not use this plugin. Thank you WordFence for being the awesome security plugin you are. Your team really do deserve a medal for WordPress security. You’re our go to, and always will be!!