Description
Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Cross Site Request Forgery.This issue affects WP Multistore Locator: from n/a through <= 2.5.2.
Published: 2025-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Multistore Locator plugin for WordPress contains a Cross‑Site Request Forgery flaw that lets an attacker trigger privileged actions on behalf of a logged‑in user. The weakness is identified as CWE‑352 and can compromise the confidentiality, integrity or availability of the site if an attacker can send crafted requests from an authenticated user. The flaw arises because the plugin does not validate that the request originates from a legitimate source or include an anti‑CSRF token.

Affected Systems

WordPress installations running the WP Multistore Locator plugin version 2.5.2 or earlier are affected. This includes all sites from the earliest release through 2.5.2 as noted by the CNA vendor WPExperts.io.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact with limited exploitability. The EPSS score of less than 1% means that the probability of observed exploitation in the wild is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker tricking a logged‑in user into visiting a malicious page that submits a forged request to the plugin’s endpoint. The vulnerability requires that the victim have sufficient privileges on the WordPress site to perform the action that the plugin allows.

Generated by OpenCVE AI on May 1, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Multistore Locator plugin to the latest version that resolves the CSRF vulnerability (e.g., 2.5.3 or newer).
  • If an immediate upgrade is not feasible, disable the plugin’s administrative interfaces or restrict them so that only legitimate administrative users can access them.
  • Deploy a web application firewall or security plugin that blocks requests to the plugin’s endpoints unless they contain a valid CSRF nonce, thereby mitigating the forgery risk.

Generated by OpenCVE AI on May 1, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9153 Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator allows Cross Site Request Forgery. This issue affects WP Multistore Locator: from n/a through 2.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator allows Cross Site Request Forgery. This issue affects WP Multistore Locator: from n/a through 2.5.2. Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Cross Site Request Forgery.This issue affects WP Multistore Locator: from n/a through <= 2.5.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator allows Cross Site Request Forgery. This issue affects WP Multistore Locator: from n/a through 2.5.2.
Title WordPress WP Multi Store Locator Plugin <= 2.5.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.343Z

Reserved: 2025-04-01T13:21:22.234Z

Link: CVE-2025-31888

cve-icon Vulnrichment

Updated: 2025-04-01T15:38:39.296Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:31.960

Modified: 2026-04-23T15:28:29.540

Link: CVE-2025-31888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)