CVE-2025-8420

Summary

Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called

Affected Software

VendorProductVersion RangeStatus
emarket-designCampus Directory – Faculty, Staff & Student Directory Plugin for WordPress0 <= 1.9.2affected
emarket-designRequest a Quote Form Plugin – Price Quote Request Management Made Easy0 <= 2.5.2affected
emarket-designVideo Gallery – YouTube Gallery & Responsive Video Playlist0 <= 3.5.2affected
emarket-designSimple Contact Form Plugin for WordPress – WP Easy Contact0 <= 4.0.2affected
emarket-designEvent RSVP and Simple Event Management Plugin0 <= 4.2.1affected
cyberlord92Employee Directory – Staff Directory and Listing0 <= 4.5.2affected
emarket-designProject Management, Bug and Issue Tracking Plugin – Software Issue Manager0 <= 5.0.0affected
emarket-designCustomer Support Ticket System & Helpdesk Plugin for WordPress0 <= 6.0.1affected

Weaknesses

  • CWE-95: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References