CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-5392: GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution

9.8 CVSS

Description

The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.

Classification

CVE ID: CVE-2025-5392

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Affected Products

Vendor: gb-plugins

Product: GB Forms DB

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.24% (probability of being exploited)

EPSS Percentile: 46.5% (scored less or equal to compared to others)

EPSS Date: 2025-07-16 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5392
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve
https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L334
https://plugins.trac.wordpress.org/browser/gb-forms-db/trunk/core/functions.php#L367
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3323703%40gb-forms-db&new=3323703%40gb-forms-db&sfp_email=&sfph_mail=

Timeline

2025-07-11 07:40:13 UTC
CVE

GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution