CVE-2025-49966

The Oganro Travel Portal Search Widget for HotelBeds APITUDE API (WordPress plugin, version <= 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. The root cause is the absence of anti-CSRF tokens or validation mechanisms in state-changing requests, enabling unauthorized commands to be submitted under the guise of an authenticated user [1].

Exploitation requires user interaction; a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a deceptive form [1]. The attacker does not need direct authentication but relies on the victim's active session to perform unintended actions [1].

Successful exploitation allows an attacker to force higher-privileged users to execute unwanted actions under their current authentication context [1]. This could include modifying plugin settings, deleting data, or triggering other administrative functions without the victim's consent [1].

As of the advisory date, immediate action is recommended: update the plugin to a patched version if available [1]. If updating is not possible, users should consult their hosting provider or web developer for assistance [1]. The vulnerability is also noted as exploitable in mass campaigns, highlighting the need for prompt remediation [1].