Remote Code Execution Vulnerability in GB Forms DB Plugin for WordPress
CVE-2025-5392

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Gb Forms Db
Vendor: CVE Published:; 11 July 2025

What is CVE-2025-5392?

The GB Forms DB plugin for WordPress contains a significant vulnerability that allows remote code execution due to improper handling of user input in the gbfdb_talk_to_front() function. This function processes unvalidated user input and subsequently uses call_user_func(), enabling unauthenticated attackers to execute arbitrary code on the server. Such exploitation can lead to severe security risks, including unauthorized code injection, potential backdoor access, and the creation of new administrative accounts.

Affected Version(s)

GB Forms DB * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gb-forms-db/tr...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2025
Vulnerability Reserved
May 30, 2025

Credit

Alexander Chikaylo