CVE-2025-8420
Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution
highImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
8.1
CVSS Score
8.1
CVSS Score
high
Severity
6.0.3
Patched in
51d
Time to patch
Description
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=6.0.1PublishedAugust 5, 2025
Last updatedSeptember 25, 2025
Affected pluginwp-ticket
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.