Cyber Posture

CVE-2025-31613

High

Published: 31 March 2025

Published
31 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0020 41.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31613 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 enforces session authenticity mechanisms like anti-CSRF tokens or origin validation to directly prevent forged cross-site requests exploiting this vulnerability.

SI-10 Information Input Validation good match
prevent

SI-10 validates information inputs to block malicious XSS payloads from being accepted and stored through the CSRF attack vector.

SI-15 Information Output Filtering partial match
prevent

SI-15 filters and sanitizes information outputs to neutralize any XSS scripts that may have been persisted via the CSRF exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

CSRF in public-facing WordPress plugin exploited via malicious link to achieve stored XSS enabling persistent JavaScript execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in Aboobacker. AB Google Map Travel ab-google-map-travel allows Cross Site Request Forgery.This issue affects AB Google Map Travel : from n/a through <= 4.6.

Deeper analysisAI

CVE-2025-31613 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the AB Google Map Travel WordPress plugin developed by Aboobacker. This issue affects all versions of the plugin from n/a through 4.6 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change.

Attackers can exploit this vulnerability remotely over the network without authentication privileges, but it requires user interaction, such as tricking a victim into visiting a malicious site or clicking a forged link. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, specifically through CSRF actions that lead to stored XSS, allowing attackers to inject and persist malicious scripts in the context of the affected site.

The Patchstack advisory provides further details on this CSRF-to-stored-XSS vulnerability in AB Google Map Travel version 4.6, available at https://patchstack.com/database/Wordpress/Plugin/ab-google-map-travel/vulnerability/wordpress-ab-google-map-travel-plugin-4-6-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-352

CVEs Like This One

CVE-2025-23677Shared CWE-352
CVE-2025-27355Shared CWE-352
CVE-2025-26569Shared CWE-352
CVE-2025-23870Shared CWE-352
CVE-2025-23497Shared CWE-352
CVE-2025-23537Shared CWE-352
CVE-2025-31569Shared CWE-352
CVE-2025-23577Shared CWE-352
CVE-2025-26543Shared CWE-352
CVE-2025-31616Shared CWE-352

References