The Travel Map plugin contains a CSRF weakness that permits an attacker to forge requests on behalf of an authenticated user. By exploiting this flaw, an attacker could trigger the plugin to execute any actions that the logged‑in user is authorized to perform, thereby compromising the integrity of site content or plugin configuration, but it does not allow direct code execution or disclosure of secrets.

WordPress sites that have the Travel Map plugin version 1.0.3 or earlier installed are affected. The plugin is bundled under the vendor TravelMap and is used in various WordPress deployments; any site running these versions faces the stated vulnerability.

The CVSS score of 4.3 indicates a moderate potential impact and the EPSS score of less than 1% reflects a low likelihood of widespread exploitation in the immediate future. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to persuade a legitimate user to submit a crafted request or send a malicious link to a browser session that already holds authentication cookies for the site. Without administrative access or specific user privileges, the damage remains limited to the operations that the authenticated user can perform, making the risk lower than for higher severity flaws.