CVE-2025-11166 is a medium-severity CSRF vulnerability found in the WP Go Maps WordPress plugin (formerly WP Google Maps) affecting all versions up to 9.0.46. The root cause lies in the plugin's exposure of state-changing REST API actions through an AJAX bridge that lacks proper CSRF token validation, violating secure design principles. Additionally, certain destructive operations are accessible via HTTP GET requests without any permission_callback checks, which is a critical security flaw since GET requests should be idempotent and safe. This combination allows unauthenticated attackers to exploit the vulnerability in two ways: first, by tricking logged-in administrators into performing unintended actions such as creating, updating, or deleting map markers and geometry features via CSRF attacks; second, by enabling anonymous users to perform mass deletions of markers through unsafe GET requests. The vulnerability impacts the integrity and availability of map data managed by the plugin but does not affect confidentiality directly. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) reflects that the attack can be performed remotely without privileges but requires user interaction (an administrator to be logged in and tricked). No known exploits have been reported in the wild as of the publication date. The plugin is widely used in WordPress sites to manage maps, making this vulnerability relevant for many organizations relying on this functionality. The lack of patch links suggests a fix was not yet publicly available at the time of disclosure, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of map-related data on WordPress sites using the WP Go Maps plugin. Attackers can manipulate or delete critical geospatial data, potentially disrupting services that rely on accurate mapping information, such as logistics, retail location services, or public information portals. The forced actions on administrator accounts via CSRF could lead to unauthorized changes without the administrators' knowledge, undermining trust and operational reliability. Mass deletion of markers by anonymous users could cause significant data loss and service outages. While confidentiality is not directly impacted, the disruption to business processes and potential reputational damage can be substantial. Organizations with public-facing websites or internal portals using this plugin are at risk of service degradation or defacement. The medium severity indicates a moderate but actionable threat that requires attention to prevent exploitation.

1. Immediately monitor for updates from the WP Go Maps plugin developers and apply patches as soon as they are released. 2. Until a patch is available, restrict access to the WordPress admin dashboard to trusted IP addresses or VPNs to reduce exposure of logged-in administrator sessions. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts and unauthorized GET requests targeting the plugin's endpoints. 4. Review and harden WordPress security configurations, including enforcing strong administrator session management and reducing session lifetimes. 5. Disable or limit the use of the WP Go Maps plugin if it is not critical, or consider alternative plugins with better security track records. 6. Educate administrators about the risks of CSRF and encourage them to avoid clicking on suspicious links while logged into the WordPress admin panel. 7. Conduct regular backups of map data and site content to enable rapid recovery in case of data manipulation or deletion. 8. Audit plugin REST API endpoints and consider custom development to add CSRF token validation and permission callbacks if immediate patching is not possible.