CVE-2025-13159: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in flothemesplugins Flo Forms – Easy Drag & Drop Form Builder
The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise.
AI Analysis
Technical Summary
CVE-2025-13159 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress. The vulnerability exists because the plugin permits unauthenticated users to upload SVG files through an AJAX endpoint named `flo_form_submit` without performing adequate file content validation. SVG files can contain embedded JavaScript, which, when uploaded maliciously, can execute in the context of the WordPress admin interface. This execution occurs when an administrator views the uploaded SVG file, enabling attackers to run arbitrary scripts. Such scripts can lead to session hijacking, privilege escalation, or full site compromise, including defacement, data theft, or installation of backdoors. The vulnerability affects all plugin versions up to and including 1.0.43. The CVSS 3.1 base score is 7.1, indicating a high severity due to network attack vector, no privileges required, low attack complexity, requirement for user interaction (admin viewing the file), and a scope change impacting confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the ease of exploitation and potential impact make it a significant threat. The lack of patch links suggests a patch may not yet be available, increasing urgency for mitigation.
Potential Impact
For European organizations, this vulnerability poses a significant risk to websites running WordPress with the vulnerable Flo Forms plugin installed. Exploitation can lead to full site compromise, which may result in data breaches, defacement, loss of customer trust, and disruption of business operations. Given the widespread use of WordPress across Europe, especially among small and medium enterprises and public sector websites, the attack surface is considerable. Compromised sites could be used to distribute malware, conduct phishing campaigns, or serve as pivot points for further network intrusions. The impact on confidentiality, integrity, and availability is high, potentially affecting sensitive customer data and critical business functions. Additionally, regulatory implications under GDPR may arise if personal data is exposed or mishandled due to exploitation.
Mitigation Recommendations
1. Immediately disable SVG file uploads in the Flo Forms plugin or globally in WordPress until a secure patch is released. 2. Restrict access to the `flo_form_submit` AJAX endpoint by implementing authentication and authorization checks to prevent unauthenticated uploads. 3. Implement server-side validation to strictly verify uploaded file types and sanitize SVG content to remove any embedded scripts. 4. Monitor WordPress admin activity logs for unusual SVG uploads or admin interactions with uploaded files. 5. Educate administrators to avoid opening or previewing untrusted SVG files in the admin interface. 6. Apply security plugins that can detect and block malicious file uploads and XSS payloads. 7. Once available, promptly apply official patches from the vendor. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins. 9. Consider employing Content Security Policy (CSP) headers to limit script execution in the admin interface. 10. Backup WordPress sites regularly to enable quick recovery in case of compromise.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-13159: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in flothemesplugins Flo Forms – Easy Drag & Drop Form Builder
Description
The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise.
AI-Powered Analysis
Technical Analysis
CVE-2025-13159 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress. The vulnerability exists because the plugin permits unauthenticated users to upload SVG files through an AJAX endpoint named `flo_form_submit` without performing adequate file content validation. SVG files can contain embedded JavaScript, which, when uploaded maliciously, can execute in the context of the WordPress admin interface. This execution occurs when an administrator views the uploaded SVG file, enabling attackers to run arbitrary scripts. Such scripts can lead to session hijacking, privilege escalation, or full site compromise, including defacement, data theft, or installation of backdoors. The vulnerability affects all plugin versions up to and including 1.0.43. The CVSS 3.1 base score is 7.1, indicating a high severity due to network attack vector, no privileges required, low attack complexity, requirement for user interaction (admin viewing the file), and a scope change impacting confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the ease of exploitation and potential impact make it a significant threat. The lack of patch links suggests a patch may not yet be available, increasing urgency for mitigation.
Potential Impact
For European organizations, this vulnerability poses a significant risk to websites running WordPress with the vulnerable Flo Forms plugin installed. Exploitation can lead to full site compromise, which may result in data breaches, defacement, loss of customer trust, and disruption of business operations. Given the widespread use of WordPress across Europe, especially among small and medium enterprises and public sector websites, the attack surface is considerable. Compromised sites could be used to distribute malware, conduct phishing campaigns, or serve as pivot points for further network intrusions. The impact on confidentiality, integrity, and availability is high, potentially affecting sensitive customer data and critical business functions. Additionally, regulatory implications under GDPR may arise if personal data is exposed or mishandled due to exploitation.
Mitigation Recommendations
1. Immediately disable SVG file uploads in the Flo Forms plugin or globally in WordPress until a secure patch is released. 2. Restrict access to the `flo_form_submit` AJAX endpoint by implementing authentication and authorization checks to prevent unauthenticated uploads. 3. Implement server-side validation to strictly verify uploaded file types and sanitize SVG content to remove any embedded scripts. 4. Monitor WordPress admin activity logs for unusual SVG uploads or admin interactions with uploaded files. 5. Educate administrators to avoid opening or previewing untrusted SVG files in the admin interface. 6. Apply security plugins that can detect and block malicious file uploads and XSS payloads. 7. Once available, promptly apply official patches from the vendor. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins. 9. Consider employing Content Security Policy (CSP) headers to limit script execution in the admin interface. 10. Backup WordPress sites regularly to enable quick recovery in case of compromise.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-14T00:33:54.064Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6920235bcf2d47c38997b556
Added to database: 11/21/2025, 8:31:23 AM
Last enriched: 11/28/2025, 9:30:17 AM
Last updated: 1/8/2026, 10:04:48 AM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-0676: Missing Authorization in G5Theme Zorka
HighCVE-2026-0675: Exposure of Sensitive System Information to an Unauthorized Control Sphere in webaware NextGEN Download Gallery
HighCVE-2026-0674: Missing Authorization in Campaign Monitor Campaign Monitor for WordPress
HighCVE-2025-69169: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Noor Alam Easy Media Download
HighCVE-2025-68892: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gopiplus@hotmail.com Scroll rss excerpt
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.