CVE-2025-8420 | THREATINT

Description

Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called

PUBLISHED Reserved 2025-07-31 | Published 2025-08-06 | Updated 2026-04-08 | Assigner Wordfence

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Timeline

2025-07-31:	Vendor Notified
2025-08-05:	Disclosed

Credits

Michael Mazzolini finder

Youcef Hamdani finder

References

www.wordfence.com/...-aeac-49bc-960d-4b4ff83e9229?source=cve

plugins.trac.wordpress.org/...-a-quote&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...-manager&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...p-ticket&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/changeset/3346435/

plugins.trac.wordpress.org/changeset/3346460/

plugins.trac.wordpress.org/changeset/3347084/

plugins.trac.wordpress.org/...y-events&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...showcase&sfp_email=&sfph_mail=

cve.org (CVE-2025-8420)

nvd.nist.gov (CVE-2025-8420)

Download JSON

help @ threatint.eu