CVE-2025-8420 is a remote code execution (RCE) vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, also known as 'Eval Injection') affecting the 'Request a Quote Form' plugin by emarket-design for WordPress, specifically versions 2.5.2 and earlier. The vulnerability exists in the emd_form_builder_lite_pagenum function, where user input is improperly validated before being used as a function name. This improper validation allows an unauthenticated attacker to supply arbitrary function names that the plugin will execute on the server. Although the attacker cannot pass parameters to these functions, the ability to invoke arbitrary functions remotely can lead to full remote code execution, compromising the server's confidentiality, integrity, and availability. The CVSS v3.1 score is 8.1 (high severity) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, and no known exploits have been observed in the wild. The vulnerability affects all versions up to and including 2.5.2 of the plugin. This plugin is used primarily on WordPress sites to manage price quote requests, often in e-commerce or business contexts, making affected sites attractive targets for attackers seeking to compromise web servers or pivot into internal networks.

The impact of CVE-2025-8420 is significant for organizations using the vulnerable 'Request a Quote Form' plugin on WordPress sites. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in data breaches exposing sensitive customer or business information, defacement or disruption of websites, deployment of malware or ransomware, and use of compromised servers as pivot points for further attacks within corporate networks. The inability to pass parameters to functions somewhat limits exploitation complexity but does not mitigate the high risk posed by arbitrary function invocation. Organizations relying on this plugin for customer interactions or sales processes may face operational disruptions and reputational damage. Given the plugin's use in e-commerce and business environments, attackers could also leverage this vulnerability for financial fraud or intellectual property theft. The vulnerability's network accessibility and lack of required authentication increase the likelihood of exploitation if unpatched.

To mitigate CVE-2025-8420, organizations should immediately update the 'Request a Quote Form' plugin to a version later than 2.5.2 once a patch is released by emarket-design. Until a patch is available, administrators should consider disabling or removing the plugin to eliminate the attack surface. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the emd_form_builder_lite_pagenum function or containing unusual function name parameters. Restricting access to the plugin's endpoints via IP whitelisting or authentication can reduce exposure. Additionally, monitoring web server logs for anomalous requests invoking unexpected functions can provide early detection of exploitation attempts. Employing least privilege principles on the web server and isolating WordPress instances can limit the impact of successful exploitation. Regular backups and incident response plans should be in place to recover from potential compromises. Security teams should also stay alert for any emerging exploit code or indicators of compromise related to this vulnerability.