CVE-2025-11307
Published: 11 November 2025
Summary
CVE-2025-11307 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
The WP Go Maps (formerly WP Google Maps) WordPress plugin before version 9.0.48 contains an input sanitization flaw in an AJAX action. Unauthenticated users can supply arbitrary data that is stored and later retrieved by a second AJAX endpoint, which outputs the content without escaping and thereby enables stored cross-site scripting.
An attacker can exploit the issue over the network without authentication or special privileges. Successful injection allows execution of attacker-controlled scripts in the context of other users who trigger the retrieval call, producing impacts consistent with the CVSS 8.8 rating that includes confidentiality, integrity, and availability compromise.
The vulnerability is addressed by updating to version 9.0.48 or later, as noted in the WPScan advisory at https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/.
EPSS for the CVE rose from a low baseline to a peak of 0.1376 on 2025-12-11 before receding to the current value of 0.0473, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-74048
Vulnerability details
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190). Allows arbitrary JavaScript execution for stealing web session cookies (T1539) and site defacement (T1491).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of unsanitized user inputs submitted via AJAX to prevent storage of XSS payloads.
Mandates filtering and escaping of information output retrieved via AJAX to block execution of stored XSS payloads in victim browsers.
Ensures timely remediation of the plugin flaw through patching to version 9.0.48, addressing both input sanitization and output escaping deficiencies.