CVE-2025-8420

The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338854%40request-a-quote&new=3338854%40request-a-quote&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/601aa2b5-aeac-49bc-960d-4b4ff83e9229?source=cve

Configurations

No configuration.

History

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) El complemento Request a Quote Form para WordPress es vulnerable a la ejecución remota de código en versiones anteriores o iguales a la 2.5.2 a través de la función emd_form_builder_lite_pagenum. Esto se debe a que el complemento no valida correctamente la entrada del usuario antes de usarla como nombre de función. Esto permite que atacantes no autenticados ejecuten código en el servidor; sin embargo, no se pueden pasar parámetros a las funciones llamadas.

06 Aug 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 03:15

Updated : 2025-08-06 20:23

NVD link : CVE-2025-8420

Mitre link : CVE-2025-8420

CVE.ORG link : CVE-2025-8420

JSON object : View

Products Affected

No product.

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

8.1 /10