CVE-2025-5392
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-07-11
Last updated on: 2025-07-15
Assigner: Wordfence
Description
Description
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | gb-forms-db | 1.0.2 |
| wordpress | gb-forms-db | 1.0.3 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The GB Forms DB plugin for WordPress has a Remote Code Execution vulnerability in versions up to 1.0.2. This occurs because the gbfdb_talk_to_front() function accepts user input and passes it through call_user_func(), allowing unauthenticated attackers to execute arbitrary code on the server.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute code remotely on your server without authentication. They could inject backdoors or create new administrative user accounts, potentially leading to full control over the affected system.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70