The WP Go Maps plugin for WordPress, previously known as WP Google Maps, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-11166. This vulnerability exists in all plugin versions up to and including 9.0.46. The root cause is the exposure of state-changing REST API actions through an AJAX bridge that lacks proper CSRF token validation, combined with destructive logic accessible via HTTP GET requests without any permission_callback checks. Consequently, an attacker can craft malicious web requests that, when visited by an authenticated administrator, can force unintended creation, modification, or deletion of map markers and geometry features. Moreover, the absence of permission checks on certain GET endpoints allows unauthenticated users to perform mass deletion of markers, severely impacting data integrity and availability. The vulnerability affects the confidentiality minimally but poses significant risks to integrity and availability of map data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. No patches were linked at the time of disclosure, and no active exploitation has been reported. The vulnerability is classified under CWE-352, emphasizing the lack of CSRF protections in web applications.

This vulnerability can have serious consequences for organizations relying on WP Go Maps for location-based services on their WordPress sites. Attackers can manipulate map data by forcing administrators to unknowingly create, update, or delete markers, potentially misleading users or disrupting business operations. The ability for unauthenticated users to trigger mass deletion of markers can lead to significant data loss and service disruption, affecting user trust and operational continuity. Since WordPress powers a large portion of websites globally, and WP Go Maps is a popular plugin, the attack surface is broad. The integrity and availability of critical geospatial data can be compromised, which may impact businesses that depend on accurate mapping for logistics, customer engagement, or internal operations. Although confidentiality is not directly affected, the loss or alteration of map data can indirectly harm organizational reputation and user experience. The medium CVSS score reflects these moderate but tangible risks. Organizations without timely mitigation may face defacement, misinformation, or denial of service related to their map features.

To mitigate this vulnerability, organizations should immediately update the WP Go Maps plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict access to the WordPress admin interface to trusted IP addresses and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of CSRF exploitation. Implementing Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests lacking valid CSRF tokens can provide temporary protection. Site owners should audit and disable any unnecessary REST API endpoints exposed by the plugin, especially those allowing destructive actions via GET requests. Regular backups of map data should be maintained to enable quick restoration in case of data loss. Additionally, educating administrators about the risks of clicking on untrusted links while logged into WordPress can reduce the likelihood of successful CSRF attacks. Monitoring logs for unusual API activity related to map markers can help detect exploitation attempts early.