CVE-2025-32427: 
PHP vulnerability analysis and mitigation

Formie, a Craft CMS plugin for creating forms, was found to contain a cross-site scripting (XSS) vulnerability in versions prior to 2.1.44. The vulnerability was discovered and disclosed on April 11, 2025. The issue affects the form import functionality when processing JSON data, specifically when handling field labels or handles containing malicious content (GitHub Advisory, NVD).

The vulnerability occurs during the form import preview process where user-supplied content from JSON files is not properly escaped before being displayed. The issue has been assigned CVE-2025-32427 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v4.0 score of 5.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows malicious content embedded in field labels or handles within JSON exports to be executed when previewing form imports. However, the impact is considered moderate as exploitation requires direct manipulation of the JSON export file and typically occurs in scenarios where users are importing forms they have previously exported from another environment (GitHub Advisory).

The vulnerability has been fixed in Formie version 2.1.44. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds have been provided (GitHub Advisory).