CVE-2025-11166 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP Go Maps WordPress plugin (formerly WP Google Maps) affecting all versions up to 9.0.46. The vulnerability stems from the plugin exposing state-changing REST API actions through an AJAX bridge without proper CSRF token validation, violating secure design principles. Additionally, destructive operations are accessible via HTTP GET requests that lack a permission_callback, meaning no authentication or authorization checks are enforced for these actions. This combination allows an attacker to craft malicious web requests that, when visited by a logged-in administrator, can force unintended creation, modification, or deletion of map markers and geometry features. More critically, anonymous users can exploit unsafe GET endpoints to trigger mass deletion of markers without any authentication or user interaction. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction for some attack vectors. The vulnerability impacts the integrity and availability of map data managed by the plugin, potentially disrupting website functionality and user experience. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered exploitable. The root cause is insufficient validation of CSRF tokens and missing permission checks on REST endpoints, which are fundamental security oversights in WordPress plugin development. Organizations using this plugin should monitor for updates and apply patches promptly once available.

For European organizations, the vulnerability poses a risk to the integrity and availability of map-related data on WordPress sites using WP Go Maps. Attackers can manipulate or delete critical geographic markers, potentially disrupting services that rely on accurate mapping information, such as logistics, retail location services, tourism, and public information portals. The ability for unauthenticated users to cause mass deletion of markers via GET requests increases the risk of denial-of-service conditions on mapping features. This can degrade user trust and operational continuity. Since WordPress is widely used across Europe, and WP Go Maps is a popular plugin for embedding maps, the threat surface is significant. Organizations with high-value or public-facing WordPress sites are particularly vulnerable, especially if administrators are targeted via CSRF attacks. The disruption could affect customer engagement, internal operations, and compliance with data integrity requirements. Given the medium severity, the threat is moderate but should not be underestimated, especially in sectors where mapping data is critical.

1. Monitor the WP Go Maps plugin repository and vendor announcements closely for the release of a security patch addressing CVE-2025-11166 and apply it immediately upon availability. 2. Until a patch is available, restrict access to WordPress administrative interfaces to trusted IP addresses or VPNs to reduce exposure to CSRF attacks targeting logged-in administrators. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts and unauthorized GET requests targeting the plugin’s REST endpoints. 4. Educate WordPress administrators about the risks of CSRF and encourage them to avoid clicking on untrusted links while logged into the admin panel. 5. Review and harden WordPress REST API permissions and consider disabling or limiting the WP Go Maps REST endpoints if feasible. 6. Regularly back up WordPress site data, including map markers and geometry features, to enable rapid restoration in case of data manipulation or deletion. 7. Conduct security audits of installed plugins to identify other potential vulnerabilities and ensure all plugins are kept up to date. 8. Consider deploying Content Security Policy (CSP) headers to reduce the risk of malicious cross-site requests.