An unauthenticated remote code execution flaw exists in a number of WordPress plugins from emarket‑design where the emd_form_builder_lite_pagenum function accepts user input and uses it directly as a callable function name without validation or sanitization. This lack of verification allows an attacker to force the plugin to invoke arbitrary PHP functions on the server, potentially altering application data, reading sensitive files, or loading malicious code. The weakness corresponds to Code Injection (CWE‑95). Because the vulnerability permits execution without passing arguments, the impact is limited to function calls that do not require parameters, but the ability to execute any permitted function already endangers system integrity.

The affected products encompass a range of emarket‑design WordPress plugins including the Employee Directory, Campus Directory, Customer Support Ticket System, Event RSVP, Project Management, Request a Quote Form, Simple Contact Form, and Video Gallery plug‑ins, as well as the cyberlord92 Employee Directory – Staff Directory and Listing. All versions that bundle the 'emd-form-builder-lite' package are vulnerable; specific version numbers are not supplied in the advisory. Site owners running any of these plugins on a WordPress installation should assume that the components are at risk until patched.

The CVSS score of 8.1 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low current exploitation probability. The issue is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw over the public web interfaces exposed by WordPress, requiring no prior authentication. Because the vulnerable endpoint can be accessed by any user, the risk surface is broad and the potential impact for an attacker is substantial if the site accepts an unexpected function name. Administrators should treat this as a high‑risk condition while the fix is applied.