Cyber Resilience

CVE-2025-22703

High

Published: 03 February 2025

Published
03 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0003 10.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22703 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22703 is a Cross-Site Request Forgery (CSRF) vulnerability in the manuelvicedo Forge – Front-End Page Builder WordPress plugin that allows Stored Cross-Site Scripting (XSS). The issue affects Forge – Front-End Page Builder versions from n/a through 1.4.6. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity, requiring user interaction such as visiting a malicious site. Exploitation involves tricking an authenticated user, likely an administrator, into performing a state-changing action via a forged request, resulting in the injection of persistent XSS payloads that execute in the context of other site visitors.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/forge/vulnerability/wordpress-forge-front-end-page-builder-plugin-1-4-6-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve details this CSRF-to-stored XSS issue in Forge version 1.4.6.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in manuelvicedo Forge – Front-End Page Builder forge allows Stored XSS.This issue affects Forge – Front-End Page Builder: from n/a through <= 1.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The vulnerability is in a public-facing WordPress plugin and can be remotely exploited via CSRF to inject stored XSS payloads, directly enabling exploitation of the application (T1190) and arbitrary JavaScript execution in visitors' browsers (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-28931Shared CWE-352
CVE-2025-23980Shared CWE-352
CVE-2025-23710Shared CWE-352
CVE-2025-23822Shared CWE-352
CVE-2025-25128Shared CWE-352
CVE-2025-31616Shared CWE-352
CVE-2025-23483Shared CWE-352
CVE-2025-23817Shared CWE-352
CVE-2025-23446Shared CWE-352
CVE-2025-23664Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from tricking authenticated users into injecting stored XSS payloads.

prevent

Validates and sanitizes inputs to the Forge plugin to block malicious XSS payloads from being accepted and stored via the CSRF vector.

prevent

Filters and encodes information output from stored content to prevent execution of XSS payloads injected through the CSRF vulnerability.

References