Cyber Resilience

CVE-2025-11307

High

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0473 89.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11307 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

The WP Go Maps (formerly WP Google Maps) WordPress plugin before version 9.0.48 contains an input sanitization flaw in an AJAX action. Unauthenticated users can supply arbitrary data that is stored and later retrieved by a second AJAX endpoint, which outputs the content without escaping and thereby enables stored cross-site scripting.

An attacker can exploit the issue over the network without authentication or special privileges. Successful injection allows execution of attacker-controlled scripts in the context of other users who trigger the retrieval call, producing impacts consistent with the CVSS 8.8 rating that includes confidentiality, integrity, and availability compromise.

The vulnerability is addressed by updating to version 9.0.48 or later, as noted in the WPScan advisory at https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/.

EPSS for the CVE rose from a low baseline to a peak of 0.1376 on 2025-12-11 before receding to the current value of 0.0473, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1491 Defacement Impact
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.
Why these techniques?

Stored XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190). Allows arbitrary JavaScript execution for stealing web session cookies (T1539) and site defacement (T1491).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of unsanitized user inputs submitted via AJAX to prevent storage of XSS payloads.

prevent

Mandates filtering and escaping of information output retrieved via AJAX to block execution of stored XSS payloads in victim browsers.

prevent

Ensures timely remediation of the plugin flaw through patching to version 9.0.48, addressing both input sanitization and output escaping deficiencies.

References