Description
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
Published: 2025-07-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The GB Forms DB plugin for WordPress contains a vulnerability in the gbfdb_talk_to_front() function that accepts user input and passes it to call_user_func. This flaw allows an attacker to execute arbitrary PHP code on the server without authentication, enabling the deployment of backdoors, creation of new administrative users, and other destructive activities.

Affected Systems

GB Forms DB plugin for WordPress. All released versions up to and including 1.0.2 are vulnerable. The exploit is tied to the plugin’s gbfdb_talk_to_front() endpoint, which is invoked through the WordPress site.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as critical, and the EPSS score indicates a very low probability of exploitation (<1%). It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an unauthenticated HTTP request to the plugin’s front‑end function, which requires the plugin to be installed and publicly accessible. Successful exploitation would grant attackers full remote code execution and control over the affected server.

Generated by OpenCVE AI on April 20, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GB Forms DB to the latest version that removes the vulnerability.
  • If immediate update is not possible, uninstall or disable the plugin completely to eliminate the attack surface.
  • As a temporary measure, restrict access to the gbfdb_talk_to_front() endpoint by applying IP whitelisting, access controls, or firewall rules that block unauthenticated requests.

Generated by OpenCVE AI on April 20, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21121 The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
History

Fri, 11 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00236}

Fri, 11 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
Title GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:10.961Z

Reserved: 2025-05-30T15:43:16.649Z

Link: CVE-2025-5392

cve-icon Vulnrichment

Updated: 2025-07-11T16:55:13.935Z

cve-icon NVD

Status : Deferred

Published: 2025-07-11T07:15:25.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses