CVE-2025-11999 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Add Multiple Marker WordPress plugin developed by krishaweb. The flaw exists in all versions up to and including 1.2 due to the absence of proper capability checks in two key functions: addmultiplemarker_reset_map() and amm_save_map_api(). These functions handle resetting maps and saving map API configurations, respectively. Because the plugin does not verify whether the requester has the necessary permissions, unauthenticated attackers can invoke these functions remotely to alter map API settings or reset maps without any authentication or user interaction. The vulnerability's CVSS 3.1 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact is limited to integrity, as attackers can modify map data but cannot affect confidentiality or availability. No patches are currently available, and no exploits have been observed in the wild. The vulnerability poses a risk to WordPress sites that utilize this plugin for map-related features, potentially undermining the reliability and trustworthiness of displayed map information.

For European organizations, the vulnerability could lead to unauthorized modification of map data on websites, which may affect customer trust, user experience, and operational accuracy, especially for businesses relying on geolocation services, delivery routing, or location-based marketing. While it does not directly compromise sensitive data or system availability, tampering with map APIs can cause misinformation or service disruption in map-dependent functionalities. This could indirectly impact business reputation and customer satisfaction. Public-facing websites using the vulnerable plugin are particularly at risk. Attackers could exploit this vulnerability to inject misleading location data or disrupt map displays, potentially affecting sectors such as logistics, retail, tourism, and real estate. The lack of authentication requirements increases the risk of automated or widespread exploitation attempts. However, the absence of known exploits in the wild suggests limited current impact but warrants proactive mitigation.

1. Monitor official krishaweb channels and WordPress plugin repositories for patches or updates addressing this vulnerability and apply them promptly once available. 2. In the interim, restrict access to the vulnerable plugin’s endpoints (addmultiplemarker_reset_map and amm_save_map_api) using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 3. Implement strict IP whitelisting or authentication mechanisms for administrative or plugin-related API endpoints where feasible. 4. Regularly audit WordPress plugins and remove or replace those that are no longer maintained or have known vulnerabilities. 5. Monitor website logs for unusual or unauthorized requests targeting the vulnerable functions to detect potential exploitation attempts early. 6. Educate site administrators about the risks of unauthorized plugin modifications and encourage adherence to the principle of least privilege for user roles. 7. Consider temporarily disabling the Add Multiple Marker plugin if map functionality is not critical until a secure version is released.