What the vulnerability does
01Description
Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called
Explanation of Vulnerability in Simple Terms
02Summary
The Campus Directory plugin for WordPress contains an improper code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the site. The vulnerability exists in versions up to 1.9.2 and requires specific conditions to exploit. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site without authentication.
Potential impact on your site
04Site Impact
Complete compromise of the WordPress site, including data theft, malware injection, and site takeover.
Conditions required to exploit
05Prerequisites
Network access to the site; specific attack conditions must be met (high complexity).
Key dates
06Disclosure timeline
August 6, 2025
CVE published
April 8, 2026
Record updated