CVE-2025-8420

HighRCE

Published: 06 August 2025

Published

06 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8420 is a high-severity Eval Injection (CWE-95) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating user-supplied inputs like the pagenum parameter before using them in dynamic function calls, preventing RCE exploitation.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of flaws in vulnerable WordPress plugins, such as those fixed in the referenced commits.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates scanning for vulnerabilities like CVE-2025-8420 in plugins, enabling detection and prioritization for remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

RCE in public-facing WordPress plugin via unsanitized dynamic function invocation (CWE-95) directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function…

name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called

Deeper analysisAI

CVE-2025-8420 is a remote code execution vulnerability affecting multiple WordPress plugins developed by emarket-design that incorporate the 'emd-form-builder-lite' package. The issue arises in various versions through the emd_form_builder_lite_pagenum function, which fails to properly validate user input before using it as a function name. Published on 2025-08-06, the vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

Unauthenticated attackers can exploit this vulnerability remotely over the network, though it requires high attack complexity. By supplying malicious input to the vulnerable function, attackers can execute arbitrary code on the server. However, the flaw prevents passing parameters to the invoked functions, potentially limiting the scope of exploitable actions.

Patches addressing CVE-2025-8420 are available in multiple WordPress plugin repository commits, including changesets 3346435, 3346460, and 3347084, as well as updates to the request-a-quote and software-issue-manager plugins documented in trac changesets from old revisions 3338854 and 3340992. Security practitioners should update affected plugins immediately to mitigate the risk.