How ZeroPath Works
Back to Blog

Request a Quote Form WordPress Plugin CVE-2025-8420 Remote Code Execution: Brief Summary and Technical Details

This post provides a brief summary and technical details of CVE-2025-8420, a remote code execution vulnerability in the Request a Quote Form plugin for WordPress (versions up to and including 2.5.2). The vulnerability stems from improper input validation in the emd_form_builder_lite_pagenum function, allowing unauthenticated attackers to execute code on the server. No patch or detection methods are available at this time.
CVE Analysis

6 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-05

Request a Quote Form WordPress Plugin CVE-2025-8420 Remote Code Execution: Brief Summary and Technical Details
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single unauthenticated request can let an attacker execute code on a WordPress site running the Request a Quote Form plugin, potentially leading to full site compromise. This vulnerability affects a plugin commonly used by small businesses and B2B service providers to manage quote requests, making its impact broad across the WordPress ecosystem.

About the Request a Quote Form Plugin: The Request a Quote Form plugin is a widely adopted WordPress extension designed to streamline quote and inquiry management for business websites. With thousands of active installations, it is a go-to tool for organizations seeking to automate and centralize their quotation workflows within WordPress.

Technical Information

CVE-2025-8420 is a remote code execution vulnerability in the Request a Quote Form plugin for WordPress, affecting all versions up to and including 2.5.2. The vulnerability resides in the emd_form_builder_lite_pagenum function, which is part of the plugin's form builder functionality. This function fails to properly validate and sanitize user input before using it as a function name in dynamic code execution. As a result, an unauthenticated attacker can manipulate the input to execute arbitrary functions on the server.

Key technical points:

  • The root cause is improper input validation (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code).
  • The vulnerable function processes user-supplied data as a function name, allowing code execution without authentication.
  • Parameters cannot be passed to the called functions, which may limit the attacker's options but does not eliminate the risk of compromise.
  • No public code snippets or proof of concept are available as of this writing.

Affected Systems and Versions

  • Product: Request a Quote Form plugin for WordPress
  • Affected versions: All versions up to and including 2.5.2
  • Any WordPress site with this plugin at or below version 2.5.2 is vulnerable regardless of configuration.

Vendor Security History

The Request a Quote Form plugin has a history of active development and regular feature updates. However, this vulnerability highlights a significant lapse in secure coding practices, specifically around input validation. No additional information is available regarding previous vulnerabilities or the vendor's patch response times.

References

Detect & fix
what others miss

Get startedBook a demo