Filled In < 1.9.3 – Stored XSS via CSRF | CVE 2025-22628

Affects Plugins

Fixed in 1.9.3

References

CVE

CVE-2025-22628

URL

https://patchstack.com/database/wordpress/plugin/filled-in/vulnerability/wordpress-filled-in-plugin-1-9-1-csrf-to-stored-xss-vulnerability

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

7.1 (high)

Miscellaneous

Original Researcher

0xd4rk5id3

Verified

No

WPVDB ID

9475754d-5331-48b5-a158-5c72a6100471

Timeline

Publicly Published

2025-02-11 (about 1 year ago)

Added

2025-02-18 (about 1 year ago)

Last Updated

2025-04-08 (about 11 months ago)

Other

Published

Title

Published

2024-12-06

Title

Poll Maker < 5.5.5 - Cross-Site Request Forgery to Poll Duplication

Published

2025-04-09

Title

Epeken All Kurir <= 2.0.6 - Stored XSS via CSRF

Published

2023-12-26

Title

MStore API < 4.10.2 - Cross-Site Request Forgery

Published

2025-03-31

Title

Simple Contact Forms <= 1.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-06-27

Title

WooCommerce PDF Invoice Builder < 1.2.149 - Cross-Site Request Forgery