cbcvebase.
CVE-2025-11307
published 2025-11-11

CVE-2025-11307: The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated…

PriorityP275high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.94%
77.6th percentile
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=wpgmza_query_nominatim_cache
otheraction=wpgmza_query_nominatim_cache
  • Unauthenticated POST to admin-ajax.php with action=wpgmza_store_nominatim_cache stores unsanitized XSS payload; look for requests containing a crafted JSON body with a script tag in the nominatim cache data.
  • Successful store phase returns HTTP 200 with JSON body containing {"success":1}; monitor for unauthenticated requests matching this response pattern on the wpgmza_store_nominatim_cache action.
  • Retrieval phase uses unauthenticated GET to admin-ajax.php?action=wpgmza_query_nominatim_cache; response contains unescaped stored payload alongside 'display_name' field in application/json content-type — monitor for script tags in this response.
  • Both AJAX actions (wpgmza_store_nominatim_cache and wpgmza_query_nominatim_cache) are accessible without authentication; flag any unauthenticated requests to these endpoints from external IPs.
  • ·Vulnerability affects WP Go Maps (formerly WP Google Maps) plugin versions before 9.0.48 only; patched in 9.0.48 and later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.