CVE-2025-13159
📋 TL;DR
The Flo Forms WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript via an AJAX endpoint. When administrators view these files in the WordPress admin interface, the JavaScript executes, potentially leading to full site compromise. All WordPress sites using Flo Forms versions up to 1.0.43 are affected.
💻 Affected Systems
- Flo Forms – Easy Drag & Drop Form Builder for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise including administrative account takeover, data theft, malware injection, and complete control of the WordPress installation.
Likely Case
Administrative session hijacking leading to plugin/theme modification, backdoor installation, or content defacement.
If Mitigated
Limited impact with proper file upload restrictions and admin interface protections in place.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to the vulnerable endpoint with malicious SVG payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.44 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/flo-forms/trunk/readme.txt
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Flo Forms plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.0.44+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxBlock SVG file uploads at the web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disable Flo Forms plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate flo-forms
🧯 If You Can't Patch
- Implement WAF rules to block requests to flo_form_submit endpoint with SVG content
- Restrict admin panel access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Flo Forms version. If version is 1.0.43 or lower, you are vulnerable.Check Version:
wp plugin get flo-forms --field=versionVerify Fix Applied:
After updating, confirm Flo Forms version is 1.0.44 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=flo_form_submit containing SVG content
- SVG file uploads in WordPress uploads directory with script tags
Network Indicators:
- Unusual POST requests to admin-ajax.php endpoint from unauthenticated sources
- SVG files with JavaScript content being uploaded
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="flo_form_submit" AND (params.filename="*.svg" OR body CONTAINS "<svg")🔗 References
- https://plugins.trac.wordpress.org/browser/flo-forms/trunk/admin/class-flo-forms-admin.php#L821
- https://plugins.trac.wordpress.org/browser/flo-forms/trunk/includes/class-flo-forms.php#L301
- https://plugins.trac.wordpress.org/browser/flo-forms/trunk/public/class-flo-forms-public.php#L502
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8c529017-2fb9-4665-97a6-3ec062908299?source=cve
