The WP Ride Booking plugin contains a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to submit privileged requests on behalf of a logged‑in user. Because the vulnerability is in the plugin’s request handling, an attacker who can lure a user to a crafted link or embed malicious content can trigger booking actions, cancel rides, or otherwise manipulate ride data without the user’s consent. The identified weakness is CWE‑352 – Cross‑Site Request Forgery, which typically leads to unauthorized operations performed in the context of a legitimate session.

WordPress sites using the GBS Developer WP Ride Booking plugin, versions 2.4 and earlier. The vulnerability applies to all releases from the initial version through 2.4; no lower bound is specified beyond “from n/a.” No other vendor products are affected.

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of <1% suggests a low likelihood of exploitation in the general population. The vulnerability is not included in the CISA Known Exploit Vulnerabilities catalog, which further reduces the perceived risk. The attack vector is inferred to be a web‑based attack that relies on a victim’s authenticated session, as is typical for CSRF flaws. Without additional access controls or nonce validation, the plugin does not perform any severe side effects beyond the authorized user’s privileges.