Description
Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder WP_UltimateToursBuilder allows Cross Site Request Forgery.This issue affects WP Ultimate Tours Builder: from n/a through <= 1.055.
Published: 2025-05-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw allows an attacker to forge requests that a victim’s browser will send to the site, exploiting the WP Ultimate Tours Builder plugin to perform actions on the user's behalf. The attacker can cause the plugin to execute changes or actions as if the authenticated user had initiated them, potentially compromising data integrity and account functions.

Affected Systems

WordPress sites that run the loopus WP Ultimate Tours Builder plugin version 1.055 or earlier are affected. The vulnerability applies to all releases in that range; the product name is WP Ultimate Tours Builder and the vendor is loopus.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests exploitation is unlikely at the moment, and the vulnerability is not in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker sending a crafted request from an external site that a logged‑in user would execute in their browser, taking advantage of insufficient CSRF protection in the plugin.

Generated by OpenCVE AI on April 30, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Ultimate Tours Builder to a version newer than 1.055.
  • Disable or limit the use of plugin features that are not needed on the site.
  • Add CSRF mitigation measures such as same‑origin policy enforcement or a security‑plugin that blocks suspicious cross‑site requests.

Generated by OpenCVE AI on April 30, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15473 Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder allows Cross Site Request Forgery. This issue affects WP Ultimate Tours Builder: from n/a through 1.055.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder allows Cross Site Request Forgery. This issue affects WP Ultimate Tours Builder: from n/a through 1.055. Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder WP_UltimateToursBuilder allows Cross Site Request Forgery.This issue affects WP Ultimate Tours Builder: from n/a through <= 1.055.
Title WordPress WP Ultimate Tours Builder <= 1.055 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Ultimate Tours Builder plugin <= 1.055 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder allows Cross Site Request Forgery. This issue affects WP Ultimate Tours Builder: from n/a through 1.055.
Title WordPress WP Ultimate Tours Builder <= 1.055 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.385Z

Reserved: 2025-04-01T13:21:56.250Z

Link: CVE-2025-31921

cve-icon Vulnrichment

Updated: 2025-05-16T16:41:06.150Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:37.943

Modified: 2026-04-23T15:28:33.940

Link: CVE-2025-31921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)