CVE-2025-49966
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the Oganro Travel Portal Search Widget for HotelBeds APITUDE API plugin (version 1.0 and earlier). It allows an attacker to trick authenticated users, especially those with higher privileges, into executing unwanted actions on the site without their consent. This can compromise site security by exploiting the trust a site has in a user's browser. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being performed on your site by attackers without your knowledge, potentially compromising site security. Since it affects privileged users, attackers could manipulate site functions or data. The plugin is abandoned with no official fix, so the risk persists unless mitigated by virtual patching or removing the plugin. This could result in security breaches and require professional incident response if exploited. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the vulnerable Oganro Travel Portal Search Widget for HotelBeds APITUDE API plugin, as no official patch is available. Applying a virtual patch (vPatch) from Patchstack can provide immediate protection. Users should consider alternative software solutions and seek professional incident response if a compromise is suspected. [1]