CVE-2025-11166: CWE-352 Cross-Site Request Forgery (CSRF) in wpgmaps WP Go Maps (formerly WP Google Maps)
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
AI Analysis
Technical Summary
CVE-2025-11166 is a CSRF vulnerability in the WP Go Maps WordPress plugin affecting all versions up to and including 9.0.46. The plugin exposes state-changing REST API endpoints through an AJAX bridge without enforcing CSRF token validation. Furthermore, some destructive operations are accessible via GET requests without permission checks. This design flaw enables attackers to force authenticated administrators to perform unauthorized actions on map data and allows unauthenticated users to delete markers en masse. The vulnerability is classified under CWE-352 and has a medium severity rating with a CVSS 3.1 score of 5.4.
Potential Impact
The vulnerability allows attackers to perform unauthorized state-changing actions on the plugin's map data. Authenticated administrators can be tricked into creating, updating, or deleting markers and geometry features without their consent. Moreover, anonymous users can exploit unsafe GET requests to cause mass deletion of markers. This can lead to data loss and disruption of map functionality within affected WordPress sites.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the WP Go Maps plugin or restricting access to administrative accounts to trusted users only. Avoid clicking on untrusted links while logged in as an administrator. Monitor official vendor channels for updates and apply patches promptly once released.
CVE-2025-11166: CWE-352 Cross-Site Request Forgery (CSRF) in wpgmaps WP Go Maps (formerly WP Google Maps)
Description
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11166 is a CSRF vulnerability in the WP Go Maps WordPress plugin affecting all versions up to and including 9.0.46. The plugin exposes state-changing REST API endpoints through an AJAX bridge without enforcing CSRF token validation. Furthermore, some destructive operations are accessible via GET requests without permission checks. This design flaw enables attackers to force authenticated administrators to perform unauthorized actions on map data and allows unauthenticated users to delete markers en masse. The vulnerability is classified under CWE-352 and has a medium severity rating with a CVSS 3.1 score of 5.4.
Potential Impact
The vulnerability allows attackers to perform unauthorized state-changing actions on the plugin's map data. Authenticated administrators can be tricked into creating, updating, or deleting markers and geometry features without their consent. Moreover, anonymous users can exploit unsafe GET requests to cause mass deletion of markers. This can lead to data loss and disruption of map functionality within affected WordPress sites.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the WP Go Maps plugin or restricting access to administrative accounts to trusted users only. Avoid clicking on untrusted links while logged in as an administrator. Monitor official vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-29T16:49:57.375Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68e71ce832de7eb26af6c05d
Added to database: 10/9/2025, 2:24:40 AM
Last enriched: 4/9/2026, 3:51:30 PM
Last updated: 5/10/2026, 12:30:35 AM
Views: 182
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.