High severity8.8NVD Advisory· Published Nov 11, 2025· Updated Apr 15, 2026

CVE-2025-11307

Description

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated stored XSS in WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 via unsanitized AJAX input.

The WP Go Maps (formerly WP Google Maps) WordPress plugin before version 9.0.48 is vulnerable to an unauthenticated stored cross-site scripting (XSS) issue. The plugin fails to sanitize user input supplied via an AJAX action, allowing arbitrary JavaScript payloads to be stored on the server [1].

References

WP Google Maps < 9.0.48 - Unauthenticated Stored XSS

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Wp Google Mapsinferred2 versions
<9.0.48+ 1 more
- (no CPE)range: <9.0.48
- (no CPE)range: <9.0.48
Package: https://wordpress.org/plugins/wp-google-maps

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000