Description
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 9.0.48. This is due to the plugin not serving cached data from server-side responses and instead relying on user-input. This makes it possible for unauthenticated attackers to poison the cache location for location search results.
Published: 2025-10-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cache Poisoning
Action: Update Plugin
AI Analysis

Impact

The plugin fails to serve cached data from server‑side responses and instead trusts user input, allowing unauthenticated attackers to inject malicious content into the cache for location search results. This leads to integrity violations, potentially delivering arbitrary data to site visitors. The weakness is a Cache Poisoning flaw (CWE‑349).

Affected Systems

WP Go Maps (formerly WP Google Maps) plugin for WordPress, versions up to and including 9.0.48 are vulnerable. Any WordPress site running this plugin before upgrading to 9.0.49 or newer is affected.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate risk. An EPSS score of less than 1% indicates a low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in CISA KEV. Because the flaw relies solely on user input, the attack vector is likely unrestricted network traffic, but the modest score and low exposure probability suggest a moderate threat level that warrants timely remediation.

Generated by OpenCVE AI on April 22, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to the latest version (9.0.49 or newer).
  • Reconfigure or disable client‑side caching for location search features to enforce server‑side caching.
  • Audit site logs for anomalous requests and periodically purge or reset caches to mitigate potential poisoning.

Generated by OpenCVE AI on April 22, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpgmaps
Wpgmaps wp Go Maps
Wpgmaps wp Google Maps
Vendors & Products Wordpress
Wordpress wordpress
Wpgmaps
Wpgmaps wp Go Maps
Wpgmaps wp Google Maps

Sat, 18 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 9.0.48. This is due to the plugin not serving cached data from server-side responses and instead relying on user-input. This makes it possible for unauthenticated attackers to poison the cache location for location search results.
Title WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning
Weaknesses CWE-349
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpgmaps Wp Go Maps Wp Google Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:58.001Z

Reserved: 2025-10-13T18:54:06.234Z

Link: CVE-2025-11703

cve-icon Vulnrichment

Updated: 2025-10-20T18:45:07.367Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T07:15:35.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses