CVE-2025-24742
Published: 27 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24742 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP Go Maps plugin (wp-google-maps) for WordPress. This issue affects all versions of WP Go Maps from n/a through 9.0.40. The vulnerability was published on 2025-01-27 and carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
A remote attacker with no required privileges can exploit this vulnerability by tricking an authenticated user into performing an unintended action on a web site via a forged request. This requires user interaction, such as clicking a malicious link, and results in low integrity impact with no effects on confidentiality or availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-google-maps/vulnerability/wordpress-wp-google-maps-plugin-9-0-40-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) documents the vulnerability in WP Go Maps version 9.0.40, recommending mitigation through updating to a version beyond 9.0.40 where the issue is addressed.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF requires tricking authenticated user via forged request delivered through malicious link, directly enabling spearphishing link delivery and user execution of the link.