CVE-2025-8420
HIGHemarket-design WordPress Plugins - Unauthenticated Remote Code Execution via emd_form_builder_lite_pagenum Function
Title source: llmDescription
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
References (9)
Core 9
Core References
Scores
CVSS v3
8.1
EPSS
0.0092
EPSS Percentile
55.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
Status
published
Products (8)
cyberlord92/Employee Directory – Staff Directory and Listing
< 4.5.2
emarket-design/Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
< 1.9.2
emarket-design/Customer Support Ticket System & Helpdesk Plugin for WordPress
< 6.0.1
emarket-design/Event RSVP and Simple Event Management Plugin
< 4.2.1
emarket-design/Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
< 5.0.0
emarket-design/Request a Quote Form Plugin – Price Quote Request Management Made Easy
< 2.5.2
emarket-design/Simple Contact Form Plugin for WordPress – WP Easy Contact
< 4.0.2
emarket-design/Video Gallery – YouTube Gallery & Responsive Video Playlist
< 3.5.2
Published
Aug 06, 2025
Tracked Since
Feb 18, 2026