CVE-2025-13159

Name of the Vulnerable Software and Affected Versions Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress versions up to and including 1.0.43

Description The Flo Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. The plugin permits SVG file uploads via an unauthenticated AJAX endpoint, flo form submit, without sufficient file content validation. This allows unauthenticated attackers to upload malicious SVG files containing JavaScript. When an administrator views the uploaded file within the WordPress admin interface, the malicious JavaScript executes, potentially leading to a full site compromise.

Recommendations Update Flo Forms – Easy Drag & Drop Form Builder plugin to a version later than 1.0.43.