Cyber Posture

CVE-2025-0817

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0053 67.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0817 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ncrafts Formcraft. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses insufficient input sanitization by validating SVG file uploads to block malicious script injection.

SI-15 Information Output Filtering good match
prevent

Mitigates lack of output escaping by filtering SVG content before rendering to prevent script execution in user browsers.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific flaw in FormCraft plugin versions up to 3.9.11 through identification, reporting, and patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS via unauthenticated SVG upload directly enables exploitation of public-facing web apps (T1190) and facilitates browser session hijacking plus cookie theft (T1185, T1539) upon script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

more

arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Deeper analysisAI

CVE-2025-0817 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the FormCraft plugin for WordPress. It affects all versions up to and including 3.9.11 and stems from insufficient input sanitization and output escaping during SVG file uploads. This flaw enables the injection of arbitrary web scripts into pages, with execution occurring whenever a user accesses the affected SVG file. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.

Unauthenticated attackers can exploit CVE-2025-0817 remotely by uploading a malicious SVG file containing XSS payloads through the plugin's form functionality. Once stored, the injected scripts execute in the context of any user's browser that views the SVG file, potentially enabling session hijacking, data theft, or further site compromise for all visitors, including administrators.

Advisories and patch information are referenced in the FormCraft changelog at https://formcraft-wp.com/changelog/, the plugin's CodeCanyon product page at https://codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056, and Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7ae0710a-8c9b-41b0-860f-ae79b7ed1ee4?source=cve. Security practitioners should review these sources for update instructions and apply patches promptly to versions beyond 3.9.11.

Details

CWE(s)
CWE-79

Affected Products

ncrafts
formcraft
≤ 3.9.12

CVEs Like This One

CVE-2026-24665Shared CWE-79
CVE-2026-32728Shared CWE-79
CVE-2026-2072Shared CWE-79
CVE-2024-55227Shared CWE-79
CVE-2025-25062Shared CWE-79
CVE-2024-51700Shared CWE-79
CVE-2026-27245Shared CWE-79
CVE-2025-22335Shared CWE-79
CVE-2025-25169Shared CWE-79
CVE-2025-68887Shared CWE-79

References