CVE-2025-49968

The XML Travel Portal Widget plugin (oganro-reservation-widget) for WordPress versions up to and including 2.0 contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, enabling an attacker to craft malicious requests that are executed in the context of an authenticated administrator or other privileged user.

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a form while logged into the WordPress admin panel [1]. No authentication is needed for the attacker, but the victim must have an active session with sufficient privileges to perform the targeted actions.

Successful exploitation allows an attacker to force the victim to perform unintended actions, such as changing plugin settings, modifying travel portal configurations, or other administrative operations, under the victim's current authentication [1]. This can lead to unauthorized changes or data manipulation within the affected WordPress site.

The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1]. As an immediate mitigation, users should update the plugin to a patched version if available; if not, contact the hosting provider or web developer for assistance [1].