Rating:
Medium
Patched:
Yes
Type:
plugin
CVSS Score:
5.4
From Version:
*
To Version:
9.0.46
CVE:
CVE-2025-11166
Patched Version:
9.0.47
Published:
08.10.2025
Updated:
08.10.2025
How to fix the vulnerability?
Update to version 9.0.47, or a newer patched version
WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update
Slug:
wp-google-maps
Description:
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
CWE:
Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Researchers:
- Dmitrii Ignatyev
CVE Link:
CVE-2025-11166Copyrights:
This record contains material that is subject to copyright
Copyright 2012-2025 Defiant Inc.
Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/