CVE-2025-0817 — Cross-site Scripting in Formcraft

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA7.2

EPSS

0.5%

top 32.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ncrafts Formcraft Formcraft

Timeline

PublishedFeb 18

Description

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDncrafts/formcraft< 3.9.12

▶CVEListV5formcraft/formcraft3.9.11

🔴Vulnerability Details

CVEList

FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload↗2025-02-18

▶

GHSA

GHSA-4qqq-vxfm-2ggv: The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3↗2025-02-18

▶