CVE-2025-13159
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | flo_forms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Flo Forms β Easy Drag & Drop Form Builder plugin for WordPress, where unauthenticated attackers can upload malicious SVG files via an AJAX endpoint without proper validation. These SVG files can contain JavaScript that executes when an administrator views the file in the WordPress admin interface, leading to stored cross-site scripting (XSS) and potentially full site compromise.
How can this vulnerability impact me? :
The vulnerability can lead to full site compromise by allowing attackers to execute malicious JavaScript in the context of the WordPress admin interface. This can result in unauthorized access, data theft, defacement, or further exploitation of the website and its data.