CVE-2025-11307 | THREATINT

Description

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

PUBLISHED Reserved 2025-10-04 | Published 2025-11-11 | Updated 2025-11-13 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status

unaffected

Any version before 9.0.48

affected

Credits

sunghoon kim finder

WPScan coordinator

References

wpscan.com/...rability/f5b21a05-7a51-4530-9e07-4700f00eeca3/ exploit vdb-entry technical-description

cve.org (CVE-2025-11307)

nvd.nist.gov (CVE-2025-11307)

Download JSON