A high-severity vulnerability has been identified in the "Flo Forms – Easy Drag & Drop Form Builder" WordPress plugin. This flaw allows an attacker to upload a malicious image file (SVG) that can execute code in the web browser of anyone viewing it, such as a site administrator. Successful exploitation could lead to the compromise of user accounts, theft of sensitive data, or a full website takeover.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw that exists due to improper validation of Scalable Vector Graphics (SVG) file uploads. An attacker with privileges to upload files via a form created by the plugin can submit a specially crafted SVG file containing malicious JavaScript. This malicious file is then stored on the server, and the embedded script will execute in the browser of any user who views the page where the uploaded file is displayed, potentially leading to session cookie theft, administrative account takeover, or redirection to malicious websites.

This vulnerability is rated as High severity with a CVSS score of 7.1. If exploited, an attacker could compromise a privileged user account, such as an administrator, granting them full control over the affected WordPress site. The potential consequences include theft of sensitive customer or business data, website defacement, distribution of malware to site visitors, and significant reputational damage. The risk is elevated for websites that allow untrusted users to submit forms with file upload capabilities.

Immediate Action: Immediately update the "Flo Forms – Easy Drag & Drop Form Builder" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability. If the plugin is not critical to business operations, consider deactivating and uninstalling it to completely remove the attack surface.

Proactive Monitoring: Monitor web server logs for suspicious file uploads, particularly focusing on .svg files being uploaded through the plugin's forms. Review the WordPress media library and server upload directories for any unrecognized SVG files. Implement front-end monitoring to detect and alert on unexpected JavaScript execution on pages containing user-submitted content.

Compensating Controls: If patching is not immediately feasible, implement a Web Application Firewall (WAF) with rules designed to inspect and block malicious SVG file uploads and XSS payloads. Additionally, disable the file upload feature on all public-facing forms created by the plugin. Enforcing a strict Content Security Policy (CSP) can also help prevent the execution of untrusted scripts.

Public Exploit Available: false

Given the high severity (CVSS 7.1) of this vulnerability and its potential for complete site compromise, it is strongly recommended that organizations take immediate action. All instances of the "Flo Forms" plugin must be identified and updated to the latest patched version without delay. Although this CVE is not currently listed on the CISA KEV list, its nature as a Stored XSS flaw makes it a high-priority target for remediation.