CVE-2025-22703
Published: 03 February 2025
Summary
CVE-2025-22703 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22703 is a Cross-Site Request Forgery (CSRF) vulnerability in the manuelvicedo Forge – Front-End Page Builder WordPress plugin that allows Stored Cross-Site Scripting (XSS). The issue affects Forge – Front-End Page Builder versions from n/a through 1.4.6. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity, requiring user interaction such as visiting a malicious site. Exploitation involves tricking an authenticated user, likely an administrator, into performing a state-changing action via a forged request, resulting in the injection of persistent XSS payloads that execute in the context of other site visitors.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/forge/vulnerability/wordpress-forge-front-end-page-builder-plugin-1-4-6-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve details this CSRF-to-stored XSS issue in Forge version 1.4.6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2929
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in manuelvicedo Forge – Front-End Page Builder forge allows Stored XSS.This issue affects Forge – Front-End Page Builder: from n/a through <= 1.4.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing WordPress plugin and can be remotely exploited via CSRF to inject stored XSS payloads, directly enabling exploitation of the application (T1190) and arbitrary JavaScript execution in visitors' browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from tricking authenticated users into injecting stored XSS payloads.
Validates and sanitizes inputs to the Forge plugin to block malicious XSS payloads from being accepted and stored via the CSRF vector.
Filters and encodes information output from stored content to prevent execution of XSS payloads injected through the CSRF vulnerability.