Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-13159 PoC — WordPress plugin Flo Forms 跨站脚本漏洞

Source
https://github.com/MooseLoveti/Flo-Forms-CVE-Report
Associated Vulnerability
Title:WordPress plugin Flo Forms 跨站脚本漏洞 (CVE-2025-13159)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Flo Forms 1.0.43及之前版本存在跨站脚本漏洞,该漏洞源于缺少文件内容验证,可能导致存储型跨站脚本攻击。
Description
Disclosure for CVE-2025-13159
Readme
# Flo-Forms-CVE-Report
Disclosure for CVE-2025-13159

# CVE-2025-13159 - Vulnerability in Flo Forms – Easy Drag & Drop Form Builder

This repository discloses a vulnerability discovered in [Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43](https://wordpress.org/plugins/flo-forms/),WordPress plugin developed by otackflothemesplugins.

## 🛠 Affected Version

- **Product**: Flo Forms – Easy Drag & Drop Form Builder
- **Version**: v1.0.43
- **URL**: https://wordpress.org/plugins/flo-forms/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-13159    |  Unauthenticated Stored Cross-Site Scripting via SVG Upload                |  public/class-flo-forms-public.php            | Unauthenticated attacker can execute JS     |  

---

## 🧾 Detailed a Description

### CVE-2025-13159 — Unauthenticated Stored Cross-Site Scripting via SVG Upload

 - **Affected Component**: Flo Forms admin page
 - **Attack Vector**: Unauthenticated Stored Cross-Site Scripting via SVG Upload
 - **Trigger**: An attacker can inject malicious scripts into the admin interface by exploiting the flo_form_submit to store arbitrary scripts via SVG Upload.

```
curl -k -X POST "https://localhost:8080/wp-admin/admin-ajax.php" \
  -F 'action=flo_form_submit' \
  -F 'flo_fid=<your fid>' \
  -F 'flo-form-model={}' \
  -F 'flo-form-schema={"groups":[]}' \
  -F 'file=@XSS.svg;type=image/svg+xml'
```
※If the `fid` within the object does not exist, it will fail.

 - **Impact**: Stored scripts may be executed, posing a risk of serious harm such as account hijacking.

## ❓Reason for the vulnerability
The plugin expands WordPress’s allowed MIME types to include image/svg+xml and exposes an unauthenticated AJAX action (flo_form_submit) that accepts file attachments and passes them to media_handle_upload() without any SVG sanitization or capability checks. Uploaded SVGs are then served back as image/svg+xml and linked from the admin UI. When an administrator opens the attachment (directly, or via <object>/<iframe>), the browser interprets the SVG document and executes embedded scripts, resulting in stored XSS.
- Exclude SVG from the allowed MIME types.

## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/flo-forms/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.
File Snapshot

 [4.0K]  /data/pocs/647538bd213f8e8f14834bd443294498733b786c
└── [2.6K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.