Description
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
References (9)
Scores
CVSS v3
8.1
EPSS
0.0041
EPSS Percentile
61.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
Status
published
Products (8)
cyberlord92/Employee Directory – Staff Directory and Listing
< 4.5.2
emarket-design/Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
< 1.9.2
emarket-design/Customer Support Ticket System & Helpdesk Plugin for WordPress
< 6.0.1
emarket-design/Event RSVP and Simple Event Management Plugin
< 4.2.1
emarket-design/Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
< 5.0.0
emarket-design/Request a Quote Form Plugin – Price Quote Request Management Made Easy
< 2.5.2
emarket-design/Simple Contact Form Plugin for WordPress – WP Easy Contact
< 4.0.2
emarket-design/Video Gallery – YouTube Gallery & Responsive Video Playlist
< 3.5.2
Published
Aug 06, 2025
Tracked Since
Feb 18, 2026