CVE-2025-11307

WP Google Maps < 9.0.48 - Unauthenticated Stored XSS

CVSS 8.8 HIGHEPSS 1.9%

Vexday Risk Score

36Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 8.8EPSS 1.9%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

11 nov 2025Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Productos afectados

Unknown · WP Go Maps (formerly WP Google Maps)

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/