PT-2025-41330 · WordPress · Wp Go Maps
Dmitry Ignatyev
·
Published
2025-10-09
·
Updated
2025-11-08
·
CVE-2025-11166
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WP Go Maps plugin for WordPress versions prior to 9.0.46
Description
The WP Go Maps plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). The plugin exposes state-changing REST actions through an AJAX bridge without appropriate CSRF token validation. Destructive logic is reachable via GET requests without permission checks. This allows unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features through CSRF attacks. Anonymous users can trigger mass deletion of markers via unsafe GET requests.
Recommendations
Update the WP Go Maps plugin to a version later than 9.0.46.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Go Maps