CVE-2025-22347
Published: 07 January 2025
Summary
CVE-2025-22347 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22347 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the BSK Forms Blacklist WordPress plugin (bsk-gravityforms-blacklist). This flaw enables Blind SQL Injection and affects all versions from an unspecified initial release through 3.9 inclusive. Published on 2025-01-07, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), highlighting its high severity due to network accessibility and significant confidentiality impact.
The vulnerability can be exploited by remote attackers with no required privileges, though it demands user interaction, such as luring an authenticated user to a malicious site or clicking a crafted link that triggers the CSRF-protected endpoint. This allows the attacker to forge requests leading to Blind SQL Injection, enabling extraction of sensitive data from the database with high confidentiality impact and minor availability disruption, while the cross-scope effect amplifies potential damage.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bsk-gravityforms-blacklist/vulnerability/wordpress-bsk-forms-blacklist-plugin-3-9-csrf-to-sql-injection-vulnerability?_s_id=cve) documents the CSRF-to-Blind SQL Injection chain specifically in version 3.9 of the plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2746
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in bannersky BSK Forms Blacklist bsk-gravityforms-blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through <= 3.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF-to-Blind-SQLi chain directly enables remote exploitation of a public-facing WordPress plugin for database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating flaws in the BSK Forms Blacklist plugin directly patches the CSRF-to-Blind SQL Injection vulnerability across affected versions.
Validating and sanitizing inputs to plugin endpoints prevents Blind SQL Injection exploitation triggered by forged CSRF requests.
Session authenticity mechanisms such as anti-CSRF tokens block unauthorized forged requests from luring authenticated users to trigger the vulnerability.