CVE-2025-31613

CVE-2025-31613 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the AB Google Map Travel WordPress plugin developed by Aboobacker. This issue affects all versions of the plugin from n/a through 4.6 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change.

Attackers can exploit this vulnerability remotely over the network without authentication privileges, but it requires user interaction, such as tricking a victim into visiting a malicious site or clicking a forged link. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, specifically through CSRF actions that lead to stored XSS, allowing attackers to inject and persist malicious scripts in the context of the affected site.

The Patchstack advisory provides further details on this CSRF-to-stored-XSS vulnerability in AB Google Map Travel version 4.6, available at https://patchstack.com/database/Wordpress/Plugin/ab-google-map-travel/vulnerability/wordpress-ab-google-map-travel-plugin-4-6-csrf-to-stored-xss-vulnerability?_s_id=cve.