Login Sign Up

CVE-2025-0817

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

The FormCraft WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when viewed. This stored XSS vulnerability affects all WordPress sites using FormCraft versions up to 3.9.11.

💻 Affected Systems

Products:
  • FormCraft Premium WordPress Form Builder
Versions: All versions up to and including 3.9.11
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when SVG uploads are enabled via FormCraft forms.

📦 What is this software?

Formcraft by Ncrafts

View all CVEs affecting Formcraft →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing pages, or display unwanted advertisements.

🟢

If Mitigated

With proper file upload restrictions and content security policies, impact is limited to potential script execution in isolated contexts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires no authentication and SVG file uploads are common in form builders.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.9.12 or later

Vendor Advisory: https://formcraft-wp.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FormCraft and click 'Update Now'. 4. Verify version is 3.9.12 or higher.

🔧 Temporary Workarounds

Disable SVG uploads in FormCraft

all

Configure FormCraft forms to reject SVG file uploads by modifying allowed file types.

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from uploaded files.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

  • Disable the FormCraft plugin entirely until patched.
  • Implement web application firewall rules to block SVG uploads containing script tags.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > FormCraft version. If version is 3.9.11 or lower, you are vulnerable.

Check Version:

wp plugin list --name=formcraft --field=version

Verify Fix Applied:

After updating, verify FormCraft version shows 3.9.12 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads via FormCraft endpoints
  • Multiple failed SVG upload attempts with script-like content

Network Indicators:

  • POST requests to /wp-content/plugins/formcraft/upload endpoints with SVG files
  • SVG files containing <script> tags being served

SIEM Query:

source="wordpress" AND (uri_path="/wp-content/plugins/formcraft/" AND file_extension="svg")

📊 Metadata

CVE ID: CVE-2025-0817
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.57% exploit probability (68.1th percentile)
Published: February 18, 2025
Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0817, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)