Description
Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API oganro-travel-portal-search-widget-for-hotelbeds-apitude-api allows Cross Site Request Forgery.This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through <= 1.0.
Published: 2025-06-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an attacker to forge requests on behalf of a victim user, causing the plugin to perform unintended actions such as submitting data or modifying settings. This compromise of integrity can lead to unauthorized configuration changes or data exposure, depending on the privileges of the compromised account. The weakness is identified as CWE-352.

Affected Systems

The affected product is Oganro Travel Portal Search Widget for HotelBeds APITUDE API by Oganro. All released versions up to and including 1.0 are vulnerable; versions prior to the first release are also affected as indicated by "n/a through <= 1.0".

Risk and Exploitability

The CVSS score of 4.3 categorizes the vulnerability as moderate risk, while the EPSS score of less than 1% indicates a very low probability that exploitation will occur in the near term. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploits. The likely attack vector is a browser‑based CSRF attack that requires the victim to be authenticated to the WordPress site; the attack can be executed by tricking the user into visiting a malicious page that submits a request to the plugin’s endpoint.

Generated by OpenCVE AI on April 30, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to plugin version greater than 1.0 or the latest released release.
  • If upgrading immediately is not feasible, implement a CSRF protection mechanism such as a WordPress nonce or utilize a security plugin that blocks unauthenticated requests to the plugin’s endpoints.
  • Limit the plugin’s use to trusted administrators or disable the plugin until a fix is applied.

Generated by OpenCVE AI on April 30, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28334 Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API allows Cross Site Request Forgery. This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API allows Cross Site Request Forgery. This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through 1.0. Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API oganro-travel-portal-search-widget-for-hotelbeds-apitude-api allows Cross Site Request Forgery.This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 20 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API allows Cross Site Request Forgery. This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through 1.0.
Title WordPress Oganro Travel Portal Search Widget for HotelBeds APITUDE API plugin <= 1.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:14.041Z

Reserved: 2025-06-11T16:07:41.544Z

Link: CVE-2025-49966

cve-icon Vulnrichment

Updated: 2025-06-20T16:24:04.704Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:21.430

Modified: 2026-04-23T15:31:53.180

Link: CVE-2025-49966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses