Stored Cross-Site Scripting in Flo Forms Plugin for WordPress
CVE-2025-13159

7.1HIGH

Key Information:

Vendor: WordPress
Status: Flo Forms – Easy Drag & Drop Form Builder
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-13159?

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting due to improper validation of SVG file uploads. Unauthenticated attackers can exploit this vulnerability by uploading malicious SVG files through an unauthenticated AJAX endpoint (flo_form_submit). When these files are accessed by an administrator in the WordPress admin interface, the embedded JavaScript within the SVG files executes, potentially leading to a complete compromise of the site.

Affected Version(s)

Flo Forms – Easy Drag & Drop Form Builder * <= 1.0.43

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/flo-forms/trun...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Nov 14, 2025

Credit

Moose Love

JSON