CVE-2025-22347

CVE-2025-22347 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the BSK Forms Blacklist WordPress plugin (bsk-gravityforms-blacklist). This flaw enables Blind SQL Injection and affects all versions from an unspecified initial release through 3.9 inclusive. Published on 2025-01-07, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), highlighting its high severity due to network accessibility and significant confidentiality impact.

The vulnerability can be exploited by remote attackers with no required privileges, though it demands user interaction, such as luring an authenticated user to a malicious site or clicking a crafted link that triggers the CSRF-protected endpoint. This allows the attacker to forge requests leading to Blind SQL Injection, enabling extraction of sensitive data from the database with high confidentiality impact and minor availability disruption, while the cross-scope effect amplifies potential damage.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bsk-gravityforms-blacklist/vulnerability/wordpress-bsk-forms-blacklist-plugin-3-9-csrf-to-sql-injection-vulnerability?_s_id=cve) documents the CSRF-to-Blind SQL Injection chain specifically in version 3.9 of the plugin.