CVE-2025-11999 identifies a missing authorization vulnerability (CWE-862) in the Add Multiple Marker WordPress plugin developed by krishaweb, specifically in all versions up to and including 1.2. The vulnerability exists because the functions addmultiplemarker_reset_map() and amm_save_map_api() lack proper capability checks, allowing unauthenticated users to invoke these functions. This flaw enables attackers to reset map configurations and update the map API settings without any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to integrity, as attackers can modify map-related data, but confidentiality and availability remain unaffected. The vulnerability has a CVSS 3.1 base score of 5.3, categorizing it as medium severity. No patches or known exploits are currently documented, but the absence of authorization checks represents a significant security oversight that could be leveraged to disrupt map functionality or manipulate displayed data on affected WordPress sites.

The primary impact of this vulnerability is unauthorized modification of map data and API configurations on WordPress sites using the Add Multiple Marker plugin. This can lead to misinformation being displayed to site visitors, potentially damaging the credibility of affected organizations. While it does not directly compromise user data confidentiality or site availability, the integrity breach can be exploited for misinformation campaigns, phishing, or to undermine trust in the website. For organizations relying on accurate geolocation or mapping data for business operations, marketing, or customer interaction, this could result in operational disruptions or reputational harm. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of opportunistic attacks. The lack of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk if weaponized.

To mitigate this vulnerability, organizations should immediately update the Add Multiple Marker plugin to a patched version once available from krishaweb. In the absence of an official patch, administrators should implement strict access controls at the web server or application firewall level to restrict access to the vulnerable functions, particularly blocking unauthenticated requests targeting addmultiplemarker_reset_map() and amm_save_map_api() endpoints. Reviewing and hardening WordPress user roles and capabilities to ensure only trusted users can modify map settings is critical. Monitoring web server logs for suspicious requests related to these functions can help detect exploitation attempts. Additionally, consider disabling or removing the plugin if it is not essential to reduce the attack surface. Regular security audits and vulnerability scanning of WordPress plugins should be part of ongoing security hygiene to identify similar issues proactively.