Description
Cross-Site Request Forgery (CSRF) vulnerability in AnyRoad AnyRoad anyguide allows Cross Site Request Forgery.This issue affects AnyRoad: from n/a through <= 1.3.2.
Published: 2025-01-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unprotected action in the AnyRoad anyguide plugin allows an attacker to trick a logged‑in WordPress user into unintentionally performing a privileged request. The weakness is identified as CWE‑352, which enables the attacker to forge a legitimate request on behalf of the user. Because the vulnerability does not provide direct code execution, its impact is limited to unauthorized actions that the user’s account permits.

Affected Systems

All WordPress sites running the AnyRoad anyguide plugin version 1.3.2 or earlier are affected. No specific WordPress core version constraints are listed, so the risk applies to any installation that has not updated the plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, placing it in the low‑severity range. The EPSS score of less than 1 % indicates a very small chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated user to visit a crafted link or form that the plugin accepts, after which the attacker can trigger actions that the user is authorized to perform.

Generated by OpenCVE AI on May 1, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AnyRoad anyguide plugin to a version newer than 1.3.2.
  • Configure WordPress or a security plugin to enforce CSRF tokens on all authenticated actions involving the AnyRoad plugin.
  • Restrict the plugin’s capabilities to only the necessary user roles or disable it for roles that do not need it.

Generated by OpenCVE AI on May 1, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3590 Cross-Site Request Forgery (CSRF) vulnerability in anyroad.com AnyRoad allows Cross Site Request Forgery. This issue affects AnyRoad: from n/a through 1.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in anyroad.com AnyRoad allows Cross Site Request Forgery. This issue affects AnyRoad: from n/a through 1.3.2. Cross-Site Request Forgery (CSRF) vulnerability in AnyRoad AnyRoad anyguide allows Cross Site Request Forgery.This issue affects AnyRoad: from n/a through <= 1.3.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 21 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in anyroad.com AnyRoad allows Cross Site Request Forgery. This issue affects AnyRoad: from n/a through 1.3.2.
Title WordPress AnyRoad plugin <= 1.3.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:01:59.617Z

Reserved: 2025-01-16T11:33:30.631Z

Link: CVE-2025-23996

cve-icon Vulnrichment

Updated: 2025-01-21T18:35:38.912Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T18:15:17.503

Modified: 2026-06-17T08:57:51.513

Link: CVE-2025-23996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)