CVE-2025-32427
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the Formie plugin for Craft CMS. When importing forms from JSON, malicious content in field labels or handles isn't properly escaped during preview, allowing attackers to execute arbitrary JavaScript in victims' browsers. Only users who can import forms (typically administrators) are affected, and exploitation requires deliberate tampering with exported JSON files.
💻 Affected Systems
- Formie (Craft CMS plugin)
📦 What is this software?
Formie by Verbb
⚠️ Risk & Real-World Impact
Worst Case
An attacker with access to exported form JSON could inject malicious JavaScript that executes when an administrator previews the import, potentially leading to session hijacking, account takeover, or administrative actions performed under the victim's credentials.
Likely Case
Limited impact since exploitation requires both access to exported form JSON and an administrator previewing the malicious import. Most likely scenario is targeted attacks against specific administrators.
If Mitigated
With proper access controls limiting who can import forms and awareness of the risk, impact is minimal as exploitation requires multiple conditions to align.
🎯 Exploit Status
Exploitation requires: 1) Access to exported form JSON, 2) Ability to modify the JSON with malicious payload, 3) An administrator importing and previewing the malicious JSON. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.44
Vendor Advisory: https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3
Restart Required: No
Instructions:
1. Update Formie plugin to version 2.1.44 or later via Craft CMS control panel or Composer. 2. Verify the update completed successfully. 3. No server restart required.
🔧 Temporary Workarounds
Restrict form import permissions
allLimit which users can import forms via JSON to only trusted administrators who understand the risk.
Validate imported JSON
allImplement custom validation of imported form JSON to detect and reject suspicious content in labels and handles.
🧯 If You Can't Patch
- Restrict form import functionality to only essential administrators
- Educate users about the risk of importing untrusted JSON form exports
🔍 How to Verify
Check if Vulnerable:
Check Formie plugin version in Craft CMS admin panel under Settings → Plugins. If version is below 2.1.44, the system is vulnerable.Check Version:
In Craft CMS admin: Settings → Plugins → Formie (or check composer.json for 'verbb/formie' version)Verify Fix Applied:
After updating, confirm Formie version is 2.1.44 or higher in the Craft CMS plugin management interface.📡 Detection & Monitoring
Log Indicators:
- Unusual form import activities
- Multiple failed import attempts
- Administrator account performing unexpected actions after form imports
Network Indicators:
- Unexpected outbound connections from Craft CMS admin interface following form imports
SIEM Query:
source="craft-cms" AND (event="form_import" OR event="form_preview") AND user_role="admin"