CVE-2025-11307

High

Published: 11 November 2025

Published

11 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0263 85.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of unsanitized user inputs submitted via AJAX to prevent storage of XSS payloads.

SI-15 Information Output Filtering good match

prevent

Mandates filtering and escaping of information output retrieved via AJAX to block execution of stored XSS payloads in victim browsers.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the plugin flaw through patching to version 9.0.48, addressing both input sanitization and output escaping deficiencies.

Security SummaryAI

CVE-2025-11307 is a stored cross-site scripting (XSS) vulnerability affecting the WP Go Maps (formerly WP Google Maps) WordPress plugin in versions before 9.0.48. The flaw arises because the plugin does not sanitize user input submitted via an AJAX action, allowing malicious payloads to be stored and later retrieved through another AJAX call where they are output without proper escaping.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by submitting unsanitized input containing XSS payloads. Exploitation requires user interaction, such as a victim triggering the retrieval of the payload, after which arbitrary JavaScript executes in the victim's browser context. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high severity due to substantial impacts on confidentiality, integrity, and availability.

The WPScan advisory at https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/ details the issue, with mitigation achieved by updating the WP Go Maps plugin to version 9.0.48 or later.

Details

CWE(s): None listed

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1491 Defacement Impact

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.

attack.mitre.org →

Why these techniques?

Stored XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190). Allows arbitrary JavaScript execution for stealing web session cookies (T1539) and site defacement (T1491).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/
contact@wpscan.com