CVE-2025-11166
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_google_maps | wp_google_maps | 9.0.47 |
| wp_google_maps | wp_google_maps | 9.0.46 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the WP Go Maps WordPress plugin (up to version 9.0.46) and is a Cross-Site Request Forgery (CSRF) issue. The plugin exposes state-changing REST actions through an AJAX bridge without proper CSRF token validation, and destructive actions can be triggered via GET requests without permission checks. This allows attackers to trick logged-in administrators into creating, updating, or deleting map markers and geometry features, and lets anonymous users cause mass deletion of markers.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized changes to map data on a WordPress site using the WP Go Maps plugin. Attackers can force administrators to modify or delete map markers and geometry features without their consent, and anonymous users can trigger mass deletion of markers. This can disrupt website functionality, cause data loss, and potentially damage the site's integrity and user trust.