CVE-2025-8420
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/08/2025
Last modified:
15/04/2026
Description
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/changeset/3346435/
- https://plugins.trac.wordpress.org/changeset/3346460/
- https://plugins.trac.wordpress.org/changeset/3347084/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338854%40request-a-quote&new=3338854%40request-a-quote
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340992%40software-issue-manager&new=3340992%40software-issue-manager
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3341064%40wp-ticket&new=3341064%40wp-ticket
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3348220%40wp-easy-events&new=3348220%40wp-easy-events
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365190%40youtube-showcase&new=3365190%40youtube-showcase
- https://www.wordfence.com/threat-intel/vulnerabilities/id/601aa2b5-aeac-49bc-960d-4b4ff83e9229?source=cve