Home

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 9.0.48. This is due to the plugin not serving cached data from server-side responses and instead relying on user-input. This makes it possible for unauthenticated attackers to poison the cache location for location search results.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-18 | Updated 2025-10-18 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data

Product status

Default status
unaffected

*
affected

Timeline

2025-10-13:Vendor Notified
2025-10-17:Disclosed

Credits

Dmitrii Ignatyev finder

References

www.wordfence.com/...-e78a-4344-be06-95735337a2d6?source=cve

research.cleantalk.org/cve-2025-11703

plugins.trac.wordpress.org/...gle-maps&sfp_email=&sfph_mail=

github.com/CodeCabin/wp-google-maps/pull/1087/files

cve.org (CVE-2025-11703)

nvd.nist.gov (CVE-2025-11703)

Download JSON