CVE-2025-0817 - Vulnerability Details

- FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Description

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Published: 2025-02-18

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The FormCraft WordPress plugin allows users to upload SVG files without proper input sanitisation or output escaping. An unauthenticated attacker can therefore embed arbitrary JavaScript within an SVG file. When any site visitor views or downloads the SVG, the injected script executes in the victim’s browser, enabling typical XSS consequences such as session hijacking, defacement or data theft. This vulnerability is characterised as Stored XSS (CWE‑79).

Affected Systems

The flaw exists in all FormCraft plugin releases up to and including version 3.9.11. The affected product is the FormCraft Premium WordPress Form Builder provided by Ncrafts. The plugin runs within a WordPress environment; any installation hosting the plugin and permitting SVG uploads is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, with the EPSS score of less than 1% suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is unauthenticated file upload: an attacker simply submits an SVG via the form builder’s file upload interface; once stored, the payload will execute whenever any logged‑in or anonymous user accesses the SVG file. No special authentication or privilege is required, which widens the threat surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FormCraft

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.11

Configuration 1 [-]

cpe:2.3:a:ncrafts:formcraft:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update FormCraft to the latest release (≥ 3.10) that removes or sanitises SVG uploads
If an update is not feasible, disable SVG file uploads in the form settings or block .svg MIME types via server configuration or .htaccess rules
As a temporary defense, restrict file uploads to only safe types such as PNG or JPEG, and consider implementing a content security policy that blocks script execution from uploaded content

Generated by OpenCVE AI on April 22, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4801	The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00534.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056
https://formcraft-wp.com/changelog/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ae0710a-8c9b-41b0-860f-ae79b7ed1ee4?source=cve

History

Fri, 21 Feb 2025 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ncrafts Ncrafts formcraft
CPEs		cpe:2.3:a:ncrafts:formcraft::::::wordpress::*
Vendors & Products		Ncrafts Ncrafts formcraft

Tue, 18 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Feb 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title		FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Weaknesses		CWE-79
References		https://codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056 https://formcraft-wp.com/changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/7ae0710a-8c9b-41b0-860f-ae79b7ed1ee4?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Ncrafts Formcraft

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-18T11:10:19.710Z

Updated: 2026-04-08T17:02:25.481Z

Reserved: 2025-01-28T21:03:19.234Z

Link: CVE-2025-0817

Vulnrichment

Updated: 2025-02-18T14:20:12.694Z

NVD

Status : Analyzed

Published: 2025-02-18T11:15:12.893

Modified: 2025-02-21T12:15:11.963

Link: CVE-2025-0817

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object