CVE-2025-11703 is a vulnerability classified under CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) found in the WP Go Maps WordPress plugin, formerly known as WP Google Maps. This vulnerability affects all versions up to and including 9.0.48. The root cause is that the plugin does not serve cached location search results from server-side validated data but instead relies on user input to determine cache content. This design flaw allows unauthenticated attackers to poison the cache by injecting malicious or manipulated location search parameters. When other users access the cached data, they receive the poisoned content, which can lead to misinformation or incorrect map displays. The vulnerability does not affect confidentiality or availability but compromises data integrity. Exploitation requires no authentication or user interaction, making it relatively easy to attempt. However, as the impact is limited to integrity and does not disrupt service or expose sensitive data, the CVSS v3.1 base score is 5.3 (medium severity). No public exploits have been reported yet, and no patches were linked at the time of disclosure, indicating that remediation may be pending. The vulnerability highlights the importance of validating and sanitizing user inputs before caching and serving data in web applications, especially plugins widely used in content management systems like WordPress.

The primary impact of CVE-2025-11703 is on data integrity within websites using the WP Go Maps plugin. Attackers can manipulate cached location search results, causing users to receive incorrect or misleading map data. This can degrade user trust, misinform customers, or disrupt business operations relying on accurate location information. Although confidentiality and availability are not affected, the integrity compromise can have reputational consequences and potentially lead to secondary attacks if users act on false location data. Since exploitation requires no authentication or user interaction, attackers can automate cache poisoning at scale. Organizations with high traffic websites using this plugin are at greater risk of widespread misinformation. The absence of known exploits in the wild suggests limited current exploitation but also indicates the need for proactive mitigation before attackers develop reliable exploit methods. The medium CVSS score reflects moderate risk, emphasizing the need for timely patching and input validation improvements.

1. Monitor the WP Go Maps plugin vendor announcements and apply official patches promptly once released to address CVE-2025-11703. 2. Until patches are available, implement server-side validation and sanitization of all user inputs related to location search parameters to prevent injection of malicious data into the cache. 3. Configure caching mechanisms to serve only server-validated data rather than relying on user input for cache keys or content. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious cache poisoning attempts targeting location search endpoints. 5. Regularly audit and review caching policies and plugin configurations to ensure adherence to security best practices. 6. Consider temporarily disabling the WP Go Maps plugin if accurate location data is critical and no immediate patch is available. 7. Educate site administrators on the risks of accepting untrusted data in caching layers and encourage security-focused plugin management.