CVE-2025-13159 PoC — Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

Source

https://github.com/MooseLoveti/Flo-Forms-CVE-Report

Associated Vulnerability

Title:Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload (CVE-2025-13159)
Description:The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise.

Description

Disclosure for CVE-2025-13159

Readme

# Flo-Forms-CVE-Report
Disclosure for CVE-2025-13159

# CVE-2025-13159 - Vulnerability in Flo Forms – Easy Drag & Drop Form Builder

This repository discloses a vulnerability discovered in [Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43](https://wordpress.org/plugins/flo-forms/),WordPress plugin developed by otackflothemesplugins.

## 🛠 Affected Version

- **Product**: Flo Forms – Easy Drag & Drop Form Builder
- **Version**: v1.0.43
- **URL**: https://wordpress.org/plugins/flo-forms/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-13159    |  Unauthenticated Stored Cross-Site Scripting via SVG Upload                |  public/class-flo-forms-public.php            | Unauthenticated attacker can execute JS     |  

---

## 🧾 Detailed a Description

### CVE-2025-13159 — Unauthenticated Stored Cross-Site Scripting via SVG Upload

 - **Affected Component**: Flo Forms admin page
 - **Attack Vector**: Unauthenticated Stored Cross-Site Scripting via SVG Upload
 - **Trigger**: An attacker can inject malicious scripts into the admin interface by exploiting the flo_form_submit to store arbitrary scripts via SVG Upload.

```
curl -k -X POST "https://localhost:8080/wp-admin/admin-ajax.php" \
  -F 'action=flo_form_submit' \
  -F 'flo_fid=<your fid>' \
  -F 'flo-form-model={}' \
  -F 'flo-form-schema={"groups":[]}' \
  -F 'file=@XSS.svg;type=image/svg+xml'
```
※If the `fid` within the object does not exist, it will fail.

 - **Impact**: Stored scripts may be executed, posing a risk of serious harm such as account hijacking.

## ❓Reason for the vulnerability
The plugin expands WordPress’s allowed MIME types to include image/svg+xml and exposes an unauthenticated AJAX action (flo_form_submit) that accepts file attachments and passes them to media_handle_upload() without any SVG sanitization or capability checks. Uploaded SVGs are then served back as image/svg+xml and linked from the admin UI. When an administrator opens the attachment (directly, or via <object>/<iframe>), the browser interprets the SVG document and executes embedded scripts, resulting in stored XSS.
- Exclude SVG from the allowed MIME types.

## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/flo-forms/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.

File Snapshot


 [4.0K]  /data/pocs/647538bd213f8e8f14834bd443294498733b786c
└── [2.6K]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!