Description
Cross-Site Request Forgery (CSRF) vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP Go Maps: from n/a through <= 9.0.40.
Published: 2025-01-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Cross‑Site Request Forgery flaw found in the WordPress WP Go Maps plugin up to version 9.0.40. The weakness (CWE‑352) allows an attacker to craft a request that the victim's browser will send to the site while the victim is authenticated. If successful, the attacker can trigger any action the authenticated user is allowed to perform within the plugin, potentially altering map data, changing settings, or exposing sensitive information. The impact is limited to what the authenticated user can accomplish, but it could lead to data loss or unauthorized configuration changes.

Affected Systems

The flaw affects the WP Go Maps plugin (both Basic and Pro editions) released by Codecabin for WordPress. Any installation of the plugin at version 9.0.40 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because CSRF requires a victim to be logged into the site, the attacker needs only to entice the user to visit a malicious page that triggers the forged request. No additional system privileges are required, so the exploitation is confined to the privileged actions within the plugin.

Generated by OpenCVE AI on May 1, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to a version newer than 9.0.40, ensuring the bug fix is applied.
  • After updating, verify that authenticated sessions are refreshed and that no privileged plugin actions can be performed without legitimate authorization.
  • If you cannot update immediately, disable or remove the plugin from public-facing pages or restrict its use to trusted administrators to mitigate potential exploitation.

Generated by OpenCVE AI on May 1, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3932 Cross-Site Request Forgery (CSRF) vulnerability in WP Go Maps (formerly WP Google Maps) WP Go Maps. This issue affects WP Go Maps: from n/a through 9.0.40.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Go Maps (formerly WP Google Maps) WP Go Maps. This issue affects WP Go Maps: from n/a through 9.0.40. Cross-Site Request Forgery (CSRF) vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP Go Maps: from n/a through <= 9.0.40.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Codecabin
Codecabin wp Go Maps
CPEs cpe:2.3:a:codecabin:wp_go_maps:*:*:*:*:basic:wordpress:*:*
cpe:2.3:a:codecabin:wp_go_maps:*:*:*:*:pro:wordpress:*:*
Vendors & Products Codecabin
Codecabin wp Go Maps

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Go Maps (formerly WP Google Maps) WP Go Maps. This issue affects WP Go Maps: from n/a through 9.0.40.
Title WordPress WP Google Maps plugin <= 9.0.40 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Codecabin Wp Go Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.710Z

Reserved: 2025-01-23T14:52:51.692Z

Link: CVE-2025-24742

cve-icon Vulnrichment

Updated: 2025-02-12T20:37:12.803Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T15:15:16.830

Modified: 2026-04-23T15:25:25.280

Link: CVE-2025-24742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses