Cyber Resilience

CVE-2025-24742

Medium

Published: 27 January 2025

Published
27 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0021 44.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24742 is a medium-severity CSRF (CWE-352) vulnerability in Codecabin Wp Go Maps. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-24742 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP Go Maps plugin (wp-google-maps) for WordPress. This issue affects all versions of WP Go Maps from n/a through 9.0.40. The vulnerability was published on 2025-01-27 and carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

A remote attacker with no required privileges can exploit this vulnerability by tricking an authenticated user into performing an unintended action on a web site via a forged request. This requires user interaction, such as clicking a malicious link, and results in low integrity impact with no effects on confidentiality or availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-google-maps/vulnerability/wordpress-wp-google-maps-plugin-9-0-40-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) documents the vulnerability in WP Go Maps version 9.0.40, recommending mitigation through updating to a version beyond 9.0.40 where the issue is addressed.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP Go Maps: from n/a through <= 9.0.40.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF requires tricking authenticated user via forged request delivered through malicious link, directly enabling spearphishing link delivery and user execution of the link.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4922Shared CWE-352
CVE-2026-40926Shared CWE-352
CVE-2024-51144Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2025-59894Shared CWE-352
CVE-2024-47100Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2026-38566Shared CWE-352
CVE-2025-25154Shared CWE-352
CVE-2024-12386Shared CWE-352

Affected Assets

codecabin
wp go maps
≤ 9.0.41 · ≤ 9.0.41

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CSRF vulnerability by identifying, patching, and verifying the fix in the WP Go Maps plugin up to version 9.0.40.

prevent

Protects session authenticity using mechanisms like anti-CSRF tokens to prevent forged requests from tricking authenticated users in the WordPress plugin.

prevent

Validates inputs such as CSRF tokens in plugin requests to reject unauthorized forged cross-site requests.

References