CVE-2025-11307
published 2025-11-11CVE-2025-11307: The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated…
PriorityP275high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.94%
77.6th percentile
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=wpgmza_query_nominatim_cache
otheraction=wpgmza_query_nominatim_cache
- →Unauthenticated POST to admin-ajax.php with action=wpgmza_store_nominatim_cache stores unsanitized XSS payload; look for requests containing a crafted JSON body with a script tag in the nominatim cache data. ↗
- →Successful store phase returns HTTP 200 with JSON body containing {"success":1}; monitor for unauthenticated requests matching this response pattern on the wpgmza_store_nominatim_cache action.
- →Retrieval phase uses unauthenticated GET to admin-ajax.php?action=wpgmza_query_nominatim_cache; response contains unescaped stored payload alongside 'display_name' field in application/json content-type — monitor for script tags in this response.
- →Both AJAX actions (wpgmza_store_nominatim_cache and wpgmza_query_nominatim_cache) are accessible without authentication; flag any unauthenticated requests to these endpoints from external IPs. ↗
- ·Vulnerability affects WP Go Maps (formerly WP Google Maps) plugin versions before 9.0.48 only; patched in 9.0.48 and later. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c6hq-4jpf-r2mq: The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9
ghsa_unreviewed·2025-11-11
CVE-2025-11307 [MEDIUM] GHSA-c6hq-4jpf-r2mq: The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
VulnCheck
codecabin wp_go_maps Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-11307 [HIGH] codecabin wp_go_maps Vulnerability
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
Affected: codecabin wp_go_maps
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/wp-google-maps/vulnerability/wordpress-google-maps-plugin-9-0-47-unauthenticated-stored-cross-site-scripting-vulnerability
No detection rules found.
Nuclei
WP Google Maps < 9.0.48 - Cross-Site Scripting
nuclei·CVSS 8.8
CVE-2025-11307 [HIGH] WP Google Maps < 9.0.48 - Cross-Site Scripting
WP Google Maps ","lat":"37.5665","lon":"126.9780","boundingbox":["37.4","37.7","126.7","127.1"]}]
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{\"success\":1}")'
condition: and
internal: true
- raw:
- |
GET /wp-admin/admin-ajax.php?action=wpgmza_query_nominatim_cache&query={{cache_key}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "", "display_name")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100d9ec58f85575624c688ce9b945a915723253e9a063246d44b67abd52c0aa660b02207640626d8f1bec28e2c7208821963f53b178f68a8e854f0b52e519654655be90:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-11-11
Published
Exploited in the wild