CVE-2025-11166
Description
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP Go Maps (≤9.0.46) has a CSRF and missing authorization flaw via an AJAX bridge, allowing marker/geometry manipulation by administrators and anonymous mass deletion.
Vulnerability
Overview
The WP Go Maps plugin for WordPress (up to version 9.0.46) exposes internal REST API endpoints through an admin-ajax.php bridge action wpgmza_rest_api_request. This bridge lacks proper CSRF token validation and, in some cases, does not enforce permission checks. The plugin allows state-changing operations (creating, updating, deleting markers and geometry features) to be reached via GET requests on a destructive route without a permission_callback. [1]
Attack
Vector
An unauthenticated attacker can exploit the CSRF weakness by tricking a logged-in administrator or editor into visiting a crafted page or clicking a malicious link. This forces the victim's browser to send forged requests that create, modify, or delete markers and geometry. Additionally, the permissive GET endpoint enables anonymous users to directly trigger mass deletion of markers without any authentication or user interaction. [1]
Impact
Successful exploitation allows an attacker to tamper with map content, potentially defacing sites or disrupting services that rely on accurate map data. The ability to mass delete markers anonymously also constitutes a denial-of-service (DoS) condition, as it can remove all map points without administrative oversight. [1]
Mitigation
The plugin vendor has been notified, and a PoC exists; affected users should update WP Go Maps to a version newer than 9.0.46 once a patched release is available. As a temporary measure, administrators can restrict access to the AJAX bridge or implement additional server-side validation, but updating is the definitive fix. [1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.0.46
- Range: <=9.0.46
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.phpnvd
- plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.phpnvd
- plugins.trac.wordpress.org/browser/wp-google-maps/trunk/includes/class.rest-api.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- research.cleantalk.org/cve-2025-11166nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/840ba5b2-838a-455a-b39d-865f89c05249nvd
News mentions
0No linked articles in our index yet.