{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5392", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-30T15:43:16.649Z", "datePublished": "2025-07-11T06:43:33.982Z", "dateUpdated": "2026-04-08T17:35:10.961Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:10.961Z"}, "affected": [{"vendor": "gb-plugins", "product": "GB Forms DB", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things."}], "title": "GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L367"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3323703%40gb-forms-db&new=3323703%40gb-forms-db&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "timeline": [{"time": "2025-07-10T18:32:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-11T16:54:50.803779Z", "id": "CVE-2025-5392", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T16:55:30.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-11T16:54:50.803779Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T16:55:13.935Z"}}], "cna": {"title": "GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "gb-plugins", "product": "GB Forms DB", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-10T18:32:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L367"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3323703%40gb-forms-db&new=3323703%40gb-forms-db&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:10.961Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5392", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:10.961Z", "dateReserved": "2025-05-30T15:43:16.649Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-11T06:43:33.982Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things."}, {"lang": "es", "value": "El complemento GB Forms DB para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 1.0.2 incluida, a trav\u00e9s de la funci\u00f3n gbfdb_talk_to_front(). Esto se debe a que la funci\u00f3n acepta la entrada del usuario y la pasa a trav\u00e9s de call_user_func(). Esto permite que atacantes no autenticados ejecuten c\u00f3digo en el servidor, lo que puede utilizarse para inyectar puertas traseras o crear nuevas cuentas de usuario administrativas, entre otras cosas."}], "id": "CVE-2025-5392", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-11T07:15:25.033", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L334"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L367"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3323703%40gb-forms-db&new=3323703%40gb-forms-db&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:18:23.137629+00:00", "value": {"mitigation_remediation": ["Update GB Forms DB to the latest version that removes the vulnerability.", "If immediate update is not possible, uninstall or disable the plugin completely to eliminate the attack surface.", "As a temporary measure, restrict access to the gbfdb_talk_to_front() endpoint by applying IP whitelisting, access controls, or firewall rules that block unauthenticated requests."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "GB Forms DB plugin for WordPress. All released versions up to and including 1.0.2 are vulnerable. The exploit is tied to the plugin\u2019s gbfdb_talk_to_front() endpoint, which is invoked through the WordPress site.", "description_and_impact": "The GB Forms DB plugin for WordPress contains a vulnerability in the gbfdb_talk_to_front() function that accepts user input and passes it to call_user_func. This flaw allows an attacker to execute arbitrary PHP code on the server without authentication, enabling the deployment of backdoors, creation of new administrative users, and other destructive activities.", "risk_and_exploitability": "The CVSS score of 9.8 classifies this vulnerability as critical, and the EPSS score indicates a very low probability of exploitation (<1%). It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an unauthenticated HTTP request to the plugin\u2019s front\u2011end function, which requires the plugin to be installed and publicly accessible. Successful exploitation would grant attackers full remote code execution and control over the affected server."}}}}, "created": "2025-07-13T11:06:17.007020+00:00", "updated": "2026-04-20T22:30:19.866426+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}