Description
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
Published: 2025-10-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSRF leading to unauthorized changes to map markers and settings
Action: Immediate Patch
AI Analysis

Impact

The WP Go Maps plugin contains a Cross‑Site Request Forgery flaw in all versions up to 9.0.46. The plugin exposes state‑changing REST actions through an AJAX bridge that lacks proper CSRF token validation and, for certain routes, permits destructive logic to be triggered via GET requests without a permission_callback. Consequently, an unauthenticated attacker can trick a logged‑in administrator into creating, updating, or deleting map markers and geometry features, and an anonymous user can invoke a mass deletion of all markers through unsafe GET requests.

Affected Systems

All installations of the WP Go Maps (formerly WP Google Maps) plugin with a version number 9.0.46 or earlier are impacted. The vulnerability affects the plugin’s REST API endpoints that handle marker and geometry CRUD operations.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is less than 1 percent, implying a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The flaw can be exploited via a standard CSRF attack vector, meaning an attacker only needs to host a malicious page that submits a forged request to the known endpoints. Permissions are not required, and the attack can be carried out on any WordPress site running a vulnerable plugin version, regardless of whether the attacker is authenticated.

Generated by OpenCVE AI on April 22, 2026 at 13:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to the latest version (9.0.47 or newer) to remove the vulnerable REST endpoints and CSRF oversight.
  • If upgrading immediately is not possible, block or restrict the exposed REST routes for marker and geometry manipulation by adding a custom WordPress hook or using a security plugin rule that denies unauthenticated access to the affected endpoints.
  • Verify that all remaining REST routes for the plugin require a valid CSRF token and a permission_callback; if not, disable the affected routes until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 13:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpgmaps
Wpgmaps wp Go Maps
Wpgmaps wp Google Maps
Vendors & Products Wordpress
Wordpress wordpress
Wpgmaps
Wpgmaps wp Go Maps
Wpgmaps wp Google Maps

Thu, 09 Oct 2025 02:15:00 +0000

Type Values Removed Values Added
Description The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
Title WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpgmaps Wp Go Maps Wp Google Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:17.640Z

Reserved: 2025-09-29T16:49:57.375Z

Link: CVE-2025-11166

cve-icon Vulnrichment

Updated: 2025-10-09T18:10:51.974Z

cve-icon NVD

Status : Deferred

Published: 2025-10-09T02:15:41.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses