CVE-2025-8420
BaseFortify
Publication date: 2025-08-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | request_a_quote | * |
| wordpress | request_a_quote | 2.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Request a Quote Form plugin for WordPress, versions up to 2.5.2. It is a Remote Code Execution (RCE) flaw caused by improper validation of user input in the emd_form_builder_lite_pagenum function. This allows unauthenticated attackers to execute code on the server by using user input as a function name, although they cannot pass parameters to these functions.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary code on the affected server, potentially leading to full compromise of the server, data theft, data loss, or disruption of services. Because the attacker can run code remotely, it poses a high risk to the confidentiality, integrity, and availability of the system.