CVE-2025-13159 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress. This vulnerability affects all versions up to and including 1.0.43. The root cause is the plugin's acceptance of SVG file uploads through an unauthenticated AJAX endpoint named `flo_form_submit` without proper validation of the file contents. SVG files can contain embedded JavaScript, and because the plugin does not sanitize or restrict these uploads, attackers can upload malicious SVGs containing JavaScript payloads. When an administrator later views the uploaded SVG file in the WordPress admin dashboard, the embedded JavaScript executes in the context of the administrator’s browser session. This can lead to session hijacking, privilege escalation, or full site compromise, including the potential to install backdoors or manipulate site content. The vulnerability requires no authentication to upload the malicious file but does require an administrator to interact with the uploaded content to trigger the exploit. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with partial confidentiality, integrity, and availability impacts. Although no known exploits are currently in the wild, the vulnerability is critical due to the widespread use of WordPress and the plugin’s popularity. The lack of patch availability at the time of disclosure increases the urgency for mitigation.

This vulnerability poses a significant risk to organizations using the Flo Forms plugin on WordPress sites. Successful exploitation can lead to full site compromise, allowing attackers to execute arbitrary JavaScript in administrator sessions. This can result in theft of administrative credentials, unauthorized changes to website content, installation of persistent backdoors, and disruption of website availability. The compromise of administrative accounts can cascade into broader network access if the WordPress site is integrated with other internal systems. Additionally, attackers could leverage the compromised site to launch further attacks on site visitors or use the site as a platform for phishing or malware distribution. Given WordPress’s extensive use globally, the impact can be widespread, affecting businesses, government agencies, and other organizations relying on this plugin. The vulnerability also undermines trust in affected websites and can cause reputational damage and financial loss.

Organizations should immediately restrict SVG file uploads through the Flo Forms plugin by disabling the upload feature if possible until a patch is released. Implement web application firewall (WAF) rules to detect and block suspicious SVG uploads, particularly those containing embedded scripts or unusual tags. Administrators should avoid viewing uploaded SVG files in the WordPress admin interface until the vulnerability is remediated. Monitoring and logging of AJAX endpoint usage (`flo_form_submit`) should be enhanced to detect anomalous upload activity. If feasible, restrict access to the AJAX endpoint by IP address or require authentication to reduce exposure. Regularly update WordPress and plugins, and subscribe to vendor advisories for patch releases. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts. Finally, conduct security audits and scanning for signs of compromise, especially if the plugin was in use prior to mitigation.