{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11999", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T20:57:46.854Z", "datePublished": "2025-11-11T03:30:52.126Z", "dateUpdated": "2026-04-08T17:33:14.387Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:14.387Z"}, "affected": [{"vendor": "krishaweb", "product": "Multi Location Marker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps."}], "title": "Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3433258/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hardik Patel"}], "timeline": [{"time": "2025-11-10T15:17:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:00:24.518754Z", "id": "CVE-2025-11999", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:04:34.484Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:00:24.518754Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:00:26.527Z"}}], "cna": {"title": "Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Hardik Patel"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "krishaweb", "product": "Add Multiple Marker", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:17:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php"}, {"url": "https://tinyurl.com/2bcmmpxb"}], "descriptions": [{"lang": "en", "value": "The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:52.126Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11999", "state": "PUBLISHED", "dateUpdated": "2025-11-12T20:04:34.484Z", "dateReserved": "2025-10-20T20:57:46.854Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:52.126Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps."}], "id": "CVE-2025-11999", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:45.463", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3433258/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:41:21.713336+00:00", "value": {"mitigation_remediation": ["Update the Multi Location Marker plugin to the latest version, which resolves the missing capability checks.", "If an update is not immediately possible or the plugin is no longer required, deactivate it entirely to eliminate the attack surface.", "As a temporary measure, apply a custom patch or add a capability check to the addmultiplemarker_reset_map() and amm_save_map_api() functions to restrict access to authorized users."], "summary": {"action": "Patch", "impact": "Unauthorized Configuration Change"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the krishaweb Multi Location Marker WordPress plugin in all releases up to and including version 1.2. Users running any of these versions should review their installation and determine whether the plugin is required for their site.", "description_and_impact": "The Add Multiple Marker plugin for WordPress does not perform a capability check in the addmultiplemarker_reset_map() and amm_save_map_api() functions, allowing an attacker to modify the map API key and reset the map without authentication. This can be used to alter how map data is displayed or to revert custom configurations back to default, effectively granting control over the plugin\u2019s settings without proper authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through unauthenticated HTTP requests to the vulnerable plugin endpoints; an attacker can directly send crafted requests to trigger the map reset or API key update functions without needing any credentials."}}}}, "created": "2025-11-12T12:42:53.267847+00:00", "updated": "2026-04-21T01:45:24.445554+00:00", "vendors": ["krishaweb", "krishaweb$PRODUCT$add_multiple_marker", "wordpress", "wordpress$PRODUCT$wordpress"]}