CVE-2025-11703 identifies a cache poisoning vulnerability in the WP Go Maps plugin for WordPress, formerly known as WP Google Maps, affecting all versions up to and including 9.0.48. The vulnerability stems from the plugin's improper handling of cached location search results, where it relies on user-supplied input to serve cached data instead of validating or generating cache entries server-side. This design flaw allows unauthenticated attackers to inject or poison cache entries with extraneous untrusted data, violating CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data). The attack vector is network-based with no authentication or user interaction required, making exploitation feasible remotely. Successful exploitation compromises data integrity by causing the plugin to serve manipulated or malicious location data to end users, potentially misleading site visitors or automated systems relying on accurate geolocation information. The vulnerability does not impact confidentiality or availability, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3 (medium), reflecting the moderate impact and ease of exploitation. The lack of a patch at the time of disclosure means users must rely on interim mitigations. This vulnerability is particularly relevant for websites that use WP Go Maps to provide location-based services or information, as poisoned cache data could undermine trust and operational accuracy.

For European organizations, the primary impact of CVE-2025-11703 is the degradation of data integrity on websites using the affected WP Go Maps plugin. Poisoned cache entries could cause incorrect or malicious location data to be displayed to users, potentially misleading customers, partners, or internal users. This could affect businesses relying on accurate geolocation for logistics, retail, or service delivery. While confidentiality and availability are not directly impacted, the reputational damage from serving manipulated data could be significant. Additionally, misinformation could disrupt automated processes or integrations that depend on accurate location data. Since the vulnerability can be exploited without authentication or user interaction, attackers can remotely target vulnerable sites at scale. European organizations with public-facing WordPress sites using WP Go Maps are at risk, especially those in sectors where location accuracy is critical, such as transportation, tourism, real estate, and local services.

Immediate mitigation should focus on restricting cache poisoning vectors by implementing server-side validation of all inputs used to generate cached location data. Organizations should monitor and filter incoming requests to detect and block suspicious or malformed parameters that could influence cache keys or content. Until an official patch is released, disabling caching features related to location search results or replacing WP Go Maps with alternative plugins that do not exhibit this vulnerability can reduce risk. Web application firewalls (WAFs) can be configured to block anomalous requests targeting the plugin’s endpoints. Regularly auditing and updating WordPress plugins is essential to ensure timely application of security patches once available. Additionally, organizations should review their cache configuration to ensure that cache entries are not influenced by user input without proper sanitization and validation. Logging and monitoring for unusual cache behavior or unexpected location data can help detect exploitation attempts early.