{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11166", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T16:49:57.375Z", "datePublished": "2025-10-09T01:48:48.168Z", "dateUpdated": "2026-04-08T17:04:17.640Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:17.640Z"}, "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.0.46", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests."}], "title": "WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/840ba5b2-838a-455a-b39d-865f89c05249?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L287"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L850"}, {"url": "https://research.cleantalk.org/cve-2025-11166"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3370954%40wp-google-maps%2Ftrunk&old=3317391%40wp-google-maps%2Ftrunk&sfp_email=&sfph_mail=#file1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-10-01T06:42:27.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-08T13:41:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-09T18:10:44.699312Z", "id": "CVE-2025-11166", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T18:10:57.000Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11166", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-09T18:10:44.699312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T18:10:51.974Z"}}], "cna": {"title": "WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0.46"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-01T06:42:27.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-08T13:41:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/840ba5b2-838a-455a-b39d-865f89c05249?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L287"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L850"}, {"url": "https://research.cleantalk.org/cve-2025-11166"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3370954%40wp-google-maps%2Ftrunk&old=3317391%40wp-google-maps%2Ftrunk&sfp_email=&sfph_mail=#file1"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:17.640Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11166", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:17.640Z", "dateReserved": "2025-09-29T16:49:57.375Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-09T01:48:48.168Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests."}], "id": "CVE-2025-11166", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-09T02:15:41.213", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L287"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.php#L850"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3370954%40wp-google-maps%2Ftrunk&old=3317391%40wp-google-maps%2Ftrunk&sfp_email=&sfph_mail=#file1"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-11166"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/840ba5b2-838a-455a-b39d-865f89c05249?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:13:26.989769+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Go Maps plugin to the latest version (9.0.47 or newer) to remove the vulnerable REST endpoints and CSRF oversight.", "If upgrading immediately is not possible, block or restrict the exposed REST routes for marker and geometry manipulation by adding a custom WordPress hook or using a security plugin rule that denies unauthenticated access to the affected endpoints.", "Verify that all remaining REST routes for the plugin require a valid CSRF token and a permission_callback; if not, disable the affected routes until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "CSRF leading to unauthorized changes to map markers and settings"}, "threat_synthesis": {"affected_systems": "All installations of the WP Go Maps (formerly WP Google Maps) plugin with a version number 9.0.46 or earlier are impacted. The vulnerability affects the plugin\u2019s REST API endpoints that handle marker and geometry CRUD operations.", "description_and_impact": "The WP Go Maps plugin contains a Cross\u2011Site Request Forgery flaw in all versions up to 9.0.46. The plugin exposes state\u2011changing REST actions through an AJAX bridge that lacks proper CSRF token validation and, for certain routes, permits destructive logic to be triggered via GET requests without a permission_callback. Consequently, an unauthenticated attacker can trick a logged\u2011in administrator into creating, updating, or deleting map markers and geometry features, and an anonymous user can invoke a mass deletion of all markers through unsafe GET requests.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity. The EPSS score is less than 1 percent, implying a very low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The flaw can be exploited via a standard CSRF attack vector, meaning an attacker only needs to host a malicious page that submits a forged request to the known endpoints. Permissions are not required, and the attack can be carried out on any WordPress site running a vulnerable plugin version, regardless of whether the attacker is authenticated."}}}}, "created": "2025-10-09T12:51:20.631811+00:00", "updated": "2026-04-22T13:15:17.850779+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpgmaps", "wpgmaps$PRODUCT$wp_go_maps", "wpgmaps$PRODUCT$wp_google_maps"]}