CVE-2025-11307

Name of the Vulnerable Software and Affected Versions WP Go Maps (formerly WP Google Maps) versions prior to 9.0.48

Description The WP Go Maps WordPress plugin does not properly sanitize user-supplied data submitted through an AJAX request. This allows unauthenticated users to inject and store cross-site scripting (XSS) payloads. These payloads are subsequently retrieved via another AJAX call and displayed without proper escaping, potentially leading to the execution of malicious scripts. The plugin is vulnerable because it fails to validate input before processing it, creating an opportunity for attackers to compromise the system.

Recommendations Update WP Go Maps (formerly WP Google Maps) to version 9.0.48 or later.