CVE-2025-8420

HIGH8.1

Request a Quote Form Plugin <= 2.5.2 - Unauthenticated Limited Remote Code Execution

Published Aug 6, 2025

Modified 5 months ago

No fix available

Details

The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called.

References

WEBhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338854%40request-a-quote&new=3338854%40request-a-quote&sfp_email=&sfph_mail=ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-8420 WEBhttps://www.wordfence.com/threat-intel/vulnerabilities/id/601aa2b5-aeac-49bc-960d-4b4ff83e9229?source=cve

CVSS Analysis

CVSS v3.1

8.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

Other

CWE-95

Ecosystems

Timeline

PublishedAug 6, 2025

ModifiedAug 6, 2025