CVE-2025-8420
Published: Aug 6, 2025
Modified: Apr 8, 2026
CVSS v3.1
8.1
Description
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
| Vendor | Product | Versions |
|---|---|---|
emarket-design | Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress | affected 0 - <= 1.9.2 |
emarket-design | Request a Quote Form Plugin – Price Quote Request Management Made Easy | affected 0 - <= 2.5.2 |
emarket-design | Video Gallery – YouTube Gallery & Responsive Video Playlist | affected 0 - <= 3.5.2 |
emarket-design | Simple Contact Form Plugin for WordPress – WP Easy Contact | affected 0 - <= 4.0.2 |
emarket-design | Event RSVP and Simple Event Management Plugin | affected 0 - <= 4.2.1 |
cyberlord92 | Employee Directory – Staff Directory and Listing | affected 0 - <= 4.5.2 |
emarket-design | Project Management, Bug and Issue Tracking Plugin – Software Issue Manager | affected 0 - <= 5.0.0 |
emarket-design | Customer Support Ticket System & Helpdesk Plugin for WordPress | affected 0 - <= 6.0.1 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now