CVE-2025-22628: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability via Cross-Site Request Forgery (CSRF) was discovered in the WordPress plugin Filled In, affecting versions through 1.9.2. The vulnerability was reported on December 26, 2024, and publicly disclosed on February 11, 2025 (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection when updating settings, combined with missing input sanitization and output escaping. This security flaw has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

The vulnerability could allow attackers to execute a CSRF attack that results in stored XSS payloads being added to the site through the plugin's settings. This requires user interaction from a logged-in administrator, and could potentially lead to compromised website integrity and security (WPScan).

Currently, there is no known official fix available for this vulnerability. Website administrators using the affected versions of the Filled In plugin should consider either removing the plugin or implementing additional security measures at the web application firewall level (WPScan).