CVE-2025-8420 HIGH

CVE-2025-8420: Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution

Vendor Emarket-Design
Product Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
Weakness CWE-95 · Eval injection
Published August 6, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called

Explanation of Vulnerability in Simple Terms

02Summary

The Campus Directory plugin for WordPress contains an improper code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the site. The vulnerability exists in versions up to 1.9.2 and requires specific conditions to exploit. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site without authentication.

Potential impact on your site

04Site Impact

Complete compromise of the WordPress site, including data theft, malware injection, and site takeover.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack conditions must be met (high complexity).

Key dates

06Disclosure timeline

August 6, 2025 CVE published
April 8, 2026 Record updated