CVE-2025-11307 Overview
CVE-2025-11307 is a stored Cross-Site Scripting (XSS) vulnerability in the WP Go Maps WordPress plugin, formerly known as WP Google Maps. Versions before 9.0.48 fail to sanitize user input submitted through an AJAX action. Unauthenticated attackers can store malicious JavaScript payloads on the target site. The payloads are later retrieved through a separate AJAX call and output to the page without escaping. The vulnerability impacts confidentiality, integrity, and availability when administrators or other users trigger the affected AJAX response.
Critical Impact
Unauthenticated remote attackers can inject persistent JavaScript that executes in the browsers of site visitors and administrators, enabling session theft, account takeover, and full administrative compromise of the WordPress site.
Affected Products
- WP Go Maps (formerly WP Google Maps) WordPress plugin versions before 9.0.48
- WordPress sites with the vulnerable plugin active and AJAX endpoints reachable
- Any WordPress installation exposing the affected wpgmza AJAX handlers to anonymous users
Discovery Timeline
- 2025-11-11 - CVE-2025-11307 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11307
Vulnerability Analysis
The flaw is a stored Cross-Site Scripting issue [CWE-79] reachable without authentication. The plugin exposes an AJAX action that accepts user-controlled input. The handler writes the input to persistent storage without applying sanitization functions such as wp_kses or sanitize_text_field. A second AJAX action later retrieves that stored data and echoes it into the response without escaping helpers such as esc_html or esc_attr. When the response is rendered in a browser context, the injected JavaScript executes under the origin of the WordPress site.
The EPSS score of 2.635% (85th percentile) reflects elevated probability of exploitation activity against vulnerable installations. WordPress plugins with large install bases are routinely scanned by mass-exploitation tooling once a stored XSS is publicly documented.
Root Cause
The root cause is missing input sanitization on write and missing output escaping on read. The AJAX endpoint trusts unauthenticated request parameters. WordPress security guidance requires sanitizing on input and escaping on output, and the plugin performs neither for the affected fields.
Attack Vector
An attacker sends a crafted AJAX request to the vulnerable admin-ajax.php action with a JavaScript payload in the targeted parameter. The payload is stored server-side. When an administrator or visitor loads a page that invokes the second AJAX action, the stored payload is returned and rendered, executing in their session. Because no privileges are required and the action is network-reachable, exploitation can be fully automated. See the WPScan Vulnerability Report for additional technical context.
No verified public exploit code is referenced in the advisory. Technical details are described in prose per the vendor disclosure.
Detection Methods for CVE-2025-11307
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with action parameters tied to wpgmza handlers originating from unauthenticated sessions
- Stored database entries in WP Go Maps tables containing <script>, onerror=, onload=, or javascript: substrings
- Unexpected outbound requests from administrator browsers to attacker-controlled domains after viewing map-related admin pages
- New or modified WordPress administrator accounts created shortly after suspicious AJAX traffic
Detection Strategies
- Inspect web server access logs for anonymous POSTs to admin-ajax.php containing encoded HTML or script characters in parameters
- Query WP Go Maps plugin tables for rows containing HTML tag characters in fields expected to hold plain text
- Monitor WordPress audit logs for privilege changes, plugin installations, or option modifications that follow AJAX activity from external IPs
Monitoring Recommendations
- Enable a web application firewall with rules covering stored XSS payload patterns against WordPress AJAX endpoints
- Forward WordPress, PHP, and web server logs to a centralized analytics platform and alert on unauthenticated writes to plugin AJAX actions
- Track plugin version inventory across WordPress sites and alert when WP Go Maps reports a version below 9.0.48
How to Mitigate CVE-2025-11307
Immediate Actions Required
- Update WP Go Maps to version 9.0.48 or later on every WordPress site that runs the plugin
- Audit the plugin's database tables for previously injected script content and remove malicious entries
- Rotate administrator credentials and invalidate active sessions if exploitation indicators are present
- Review recently created users, modified options, and installed plugins for unauthorized changes
Patch Information
The vendor addressed the issue in WP Go Maps 9.0.48 by adding sanitization on the AJAX write path and escaping on the AJAX read path. Site operators should apply the update through the WordPress plugin manager or WP-CLI. Details are available in the WPScan Vulnerability Report.
Workarounds
- Deactivate the WP Go Maps plugin until the patched version can be installed
- Restrict access to admin-ajax.php for unauthenticated users at the WAF or reverse proxy layer for the affected wpgmza actions
- Apply a Content Security Policy that disallows inline scripts to reduce the impact of stored XSS execution in administrator browsers
# Update WP Go Maps using WP-CLI
wp plugin update wp-google-maps --version=9.0.48
wp plugin list --name=wp-google-maps --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
