The Basic Interactive World Map plugin is vulnerable to a Cross‑Site Request Forgery (CSRF) attack that allows an unauthenticated attacker to alter the plugin’s settings. By sending a forged request from a user’s browser, the attacker can modify configuration options without notice. This weakness is identified as CWE‑352 and can result in unintended behavior of the website if critical settings are changed.

All installations of the Basic Interactive World Map plugin from any release up to and including version 2.7 are affected. The vendor is WP Map Plugins, and the product is the Basic Interactive World Map.

The CVSS score of 4.3 indicates a moderate level of risk, and the EPSS score of less than 1% reflects a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires the victim to visit a malicious link or submit a compromised form, and the attacker would gain the ability to change the plugin settings; however, it is inferred that the victim must be authenticated with sufficient privileges to modify these settings, as this detail is not explicitly stated in the CVE data. The attacker’s potential impact is limited to changing plugin settings and does not extend to broader system access.