Flo Forms Stored Cross-Site Scripting Vulnerability via SVG Upload
Vulnerability
A stored cross-site scripting vulnerability has been identified in the Flo Forms WordPress plugin, specifically in versions through 1.0.43. The issue arises from the plugin's allowance of SVG file uploads via an unauthenticated AJAX endpoint, flo_form_submit, without adequate content validation. This vulnerability enables unauthenticated attackers to upload malicious SVG files containing JavaScript. The injected script executes when an administrator views the uploaded file in the WordPress admin, potentially leading to a complete compromise of the site.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files can execute JavaScript in the context of an administrator.
Reproduction
To reproduce this vulnerability, upload a malicious SVG file containing JavaScript through the unauthenticated AJAX endpoint 'flo_form_submit'. Once uploaded, the JavaScript will execute when an administrator views the file in the WordPress admin interface.
Remediation
No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.