Cyber Resilience

CVE-2025-22347

High

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
EPSS Score 0.0011 29.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22347 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22347 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the BSK Forms Blacklist WordPress plugin (bsk-gravityforms-blacklist). This flaw enables Blind SQL Injection and affects all versions from an unspecified initial release through 3.9 inclusive. Published on 2025-01-07, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), highlighting its high severity due to network accessibility and significant confidentiality impact.

The vulnerability can be exploited by remote attackers with no required privileges, though it demands user interaction, such as luring an authenticated user to a malicious site or clicking a crafted link that triggers the CSRF-protected endpoint. This allows the attacker to forge requests leading to Blind SQL Injection, enabling extraction of sensitive data from the database with high confidentiality impact and minor availability disruption, while the cross-scope effect amplifies potential damage.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bsk-gravityforms-blacklist/vulnerability/wordpress-bsk-forms-blacklist-plugin-3-9-csrf-to-sql-injection-vulnerability?_s_id=cve) documents the CSRF-to-Blind SQL Injection chain specifically in version 3.9 of the plugin.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in bannersky BSK Forms Blacklist bsk-gravityforms-blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through <= 3.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF-to-Blind-SQLi chain directly enables remote exploitation of a public-facing WordPress plugin for database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating flaws in the BSK Forms Blacklist plugin directly patches the CSRF-to-Blind SQL Injection vulnerability across affected versions.

prevent

Validating and sanitizing inputs to plugin endpoints prevents Blind SQL Injection exploitation triggered by forged CSRF requests.

prevent

Session authenticity mechanisms such as anti-CSRF tokens block unauthorized forged requests from luring authenticated users to trigger the vulnerability.

References