Critical Vulnerability: Flo Forms Plugin Exposes WordPress Sites to XSS Attack (CVE-2025-13159)

Overview

CVE-2025-13159 describes a critical Stored Cross-Site Scripting (XSS) vulnerability found in the Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress, affecting versions up to and including 1.0.43. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the WordPress admin interface, potentially leading to full site compromise.

Technical Details

The vulnerability stems from the plugin’s handling of SVG file uploads via an unauthenticated AJAX endpoint, specifically flo_form_submit. The plugin lacks proper validation of the SVG file content, allowing attackers to upload malicious SVG files containing embedded JavaScript. When an administrator views the uploaded file (e.g., in the Media Library or form submission details) in the WordPress admin panel, the injected JavaScript code executes. Because the code runs in the context of the administrator’s session, it can be leveraged to perform administrative actions, such as creating new admin users, injecting malicious code into other plugins/themes, or redirecting users to phishing sites.

The vulnerable code sections are located in:

• admin/class-flo-forms-admin.php (related to admin functionalities)
• includes/class-flo-forms.php (core plugin functionalities)
• public/class-flo-forms-public.php (handling public form submissions)

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13159 a score of 7.1, indicating a HIGH severity. This score reflects the following factors:

• Attack Vector (AV): Network (N) – The vulnerability can be exploited over a network.
• Attack Complexity (AC): Low (L) – Exploitation requires minimal effort.
• Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
• User Interaction (UI): Required (R) – User interaction (an administrator viewing the uploaded file) is required.
• Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
• Confidentiality Impact (C): High (H) – There is a total loss of confidentiality, resulting in all resources within the impacted scope being divulged.
• Integrity Impact (I): High (H) – There is a total loss of integrity, resulting in a complete loss of system Operational integrity. The attacker can modify the system arbitrarily.
• Availability Impact (A): High (H) – There is a total loss of availability, resulting in the attacker can disrupt, deny, and degrade the system.

The high scores for confidentiality, integrity, and availability impact highlight the potential for significant damage following successful exploitation.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences, including:

• Full Site Compromise: Attackers can gain complete control over the WordPress website.
• Data Theft: Sensitive data stored on the website can be stolen.
• Malware Distribution: The website can be used to distribute malware to visitors.
• Defacement: The website can be defaced, damaging the site owner’s reputation.
• Account Takeover: Administrator accounts can be compromised, allowing attackers to perform any action within the WordPress environment.

Mitigation and Patch Steps

The most effective mitigation is to update the Flo Forms plugin to the latest version as soon as a patch is released. If an update is not yet available, consider the following temporary measures:

• Disable SVG Uploads: Temporarily disable SVG file uploads in your WordPress media settings. This will prevent attackers from uploading malicious files. You can re-enable this feature once the plugin is updated.
• Implement File Validation: If possible, implement server-side validation to check the content of uploaded SVG files and reject those containing JavaScript or other potentially malicious code. This is a more advanced solution that requires technical expertise.
• Monitor User Activity: Closely monitor user activity in the WordPress admin panel for any suspicious behavior.

IMPORTANT: Regularly check the Flo Forms plugin page in the WordPress repository for updates and apply them immediately.

References

• CVE ID: CVE-2025-13159
• Plugin Source Code (Admin): plugins.trac.wordpress.org
• Plugin Source Code (Includes): plugins.trac.wordpress.org
• Plugin Source Code (Public): plugins.trac.wordpress.org
• Wordfence Threat Intelligence: wordfence.com