Description
Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel ab-google-map-travel allows Cross Site Request Forgery.This issue affects AB Google Map Travel : from n/a through <= 4.6.
Published: 2025-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AB Google Map Travel plugin contains a Cross‑Site Request Forgery weakness that permits an attacker to forge requests under the identity of an authenticated user. Because the supplied post data is not properly validated, the forged request can insert arbitrary JavaScript into the website’s database. When the malicious content is later displayed, the stored script executes in the browsers of all site visitors, creating a persistent Cross‑Site Scripting condition that can be used to steal credentials, hijack sessions, or deface the site.

Affected Systems

WordPress sites running the AB Google Map Travel plugin from the earliest released version through 4.6 inclusive are affected. The vendor, Aboobacker, is responsible for this plugin.

Risk and Exploitability

The indexer assigned a CVSS score of 7.1, marking the issue as high severity. Its EPSS score is less than 1%, indicating that active exploitation is sparse at this time, and it is not listed in the CISA KEV catalog. The likely attack vector is a high‑impact CSRF that requires an authenticated administrator or privileged user to submit the forged request. Once triggered, the stored script can execute on every visitor’s browser, producing significant confidentiality and integrity risks.

Generated by OpenCVE AI on May 1, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install any available update for the AB Google Map Travel plugin newer than 4.6 that contains the vendor‑provided fix.
  • If no update is available, remove or permanently disable the plugin to eliminate the attack surface.
  • Deploy a strict content‑security‑policy that blocks execution of inline scripts not explicitly allowed, mitigating the impact of any residual stored XSS attempts.

Generated by OpenCVE AI on May 1, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8780 Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel allows Cross Site Request Forgery. This issue affects AB Google Map Travel : from n/a through 4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel allows Cross Site Request Forgery. This issue affects AB Google Map Travel : from n/a through 4.6. Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel ab-google-map-travel allows Cross Site Request Forgery.This issue affects AB Google Map Travel : from n/a through <= 4.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel allows Cross Site Request Forgery. This issue affects AB Google Map Travel : from n/a through 4.6.
Title WordPress AB Google Map Travel plugin <= 4.6 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.324Z

Reserved: 2025-03-31T10:06:10.341Z

Link: CVE-2025-31613

cve-icon Vulnrichment

Updated: 2025-03-31T13:40:10.336Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:55.430

Modified: 2026-04-23T15:28:04.603

Link: CVE-2025-31613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:15:17Z

Weaknesses