Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution

CVE	CVE-2025-8420
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-08-06 03:15:27 UTC
Updated	2026-04-08 18:25:19 UTC
Description	Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called

Primary CVSS: v3.1 8.1 HIGH from [email protected]

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.004460000 probability, percentile 0.634590000 (date 2026-04-08)

Problem Types: CWE-95 | CWE-95 CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	8.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	8.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Emarket-design	Campus Directory Faculty Staff Student Directory Plugin For WordPress	affected 1.9.2 semver	Not specified
CNA	Emarket-design	Request A Quote Form Plugin Price Quote Request Management Made Easy	affected 2.5.2 semver	Not specified
CNA	Emarket-design	Video Gallery YouTube Gallery Responsive Video Playlist	affected 3.5.2 semver	Not specified
CNA	Emarket-design	Simple Contact Form Plugin For WordPress WP Easy Contact	affected 4.0.2 semver	Not specified
CNA	Emarket-design	Event RSVP And Simple Event Management Plugin	affected 4.2.1 semver	Not specified
CNA	Cyberlord92	Employee Directory Staff Directory And Listing	affected 4.5.2 semver	Not specified
CNA	Emarket-design	Project Management Bug And Issue Tracking Plugin Software Issue Manager	affected 5.0.0 semver	Not specified
CNA	Emarket-design	Customer Support Ticket System Helpdesk Plugin For WordPress	affected 6.0.1 semver	Not specified

Reference	Source	Link	Tags
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3346435	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/601aa2b5-aeac-49bc-960d-4b4ff...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/changeset/3347084	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3346460	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Michael Mazzolini (en)

CNA: Youcef Hamdani (en)

Source	Time	Event
CNA	2025-07-31T14:51:03.000Z	Vendor Notified
CNA	2025-08-05T13:47:52.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.