WP Google Maps < 9.0.48 - Unauthenticated Stored XSS

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

Basic Information

ID CVE-2025-11307

Source WPScan

Published Nov 11, 2025 at 06:00

Modified Nov 12, 2025 at 21:26

Affected Product

Vendor Unknown

Product WP Go Maps (formerly WP Google Maps)

Affected Versions Unknown WP Go Maps (formerly WP Google Maps) 0

CWE Classification

References

wpscan.com /vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/

{
    "lastseen": "",
    "description": "The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.",
    "published": "2025-11-11T06:00:06.520Z",
    "modified": "2025-11-12T21:26:51.102Z",
    "type": "cve",
    "title": "WP Google Maps < 9.0.48 - Unauthenticated Stored XSS",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/",
    "id": "CVE-2025-11307",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown WP Go Maps (formerly WP Google Maps) 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Go Maps (formerly WP Google Maps)",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WP Google Maps < 9.0.48 - Unauthenticated Stored XSS_CVE-2025-11307