WP Go Maps (WP Google Maps) is a widely used mapping plugin (300k+ installs) that lets administrators create maps, markers, and geometry layers for pages and posts. During testing, we identified CVE-2025-11166, a set of Cross-Site Request Forgery (CSRF) and Missing Authorization flaws caused by a state-changing REST→AJAX bridge that lacks CSRF nonces and, in at least one case, a permissive GET-only destructive route with no permission callback. The net effect is that an attacker can trick a logged-in Admin/Editor into creating, modifying, or deleting markers and geometry; and can mass delete markers anonymously via an unauthenticated GET, enabling both content tampering and denial-of-service (DoS).
| CVE | CVE-2025-11166 |
| Plugin Version | WP Go Maps (formerly WP Google Maps) <= 9.0.46 |
| Critical | High |
| All Time | 25 785 498 |
| Active installations | 300 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11166 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-maps/wp-go-maps-formerly-wp-google-maps-9046-cross-site-request-forgery-to-plugin-settings-update |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 14, 2025 | Plugin testing and vulnerability detection in the WP Go Maps (formerly WP Google Maps) have been completed |
| September 14, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-11166 |
Discovery of the Vulnerability
The plugin exposes internal REST endpoints through an admin-ajax.php bridge action wpgmza_rest_api_requestwithout enforcing a CSRF token or robust capability checks. Multiple state-changing operations (create/update/delete of markers and geometry) are callable by sending POSTs to the bridge while a privileged user is logged in and visits an attacker-controlled page (classic CSRF). Additionally, a mass-delete duplicate markers feature is reachable anonymously via a plain GET, making data destruction possible without any session at all. The absence of permission_callback on certain routes and the lack of nonce verification across the bridge are the core root causes.
Understanding of CSRF attack’s
In WordPress, secure state changes require two independent controls: capability checks (e.g., current_user_can(...)) and CSRF nonces (e.g., check_ajax_referer() / REST X-WP-Nonce). When either is missing, attackers can:
- CSRF: Make a logged-in victim’s browser send authenticated requests that update plugin data without consent.
- Missing Auth / Open GET: Hit a state-changing endpoint directly—no session, no nonce, no capability—resulting in unauthenticated destructive actions.
This pattern has repeatedly produced high-impact WordPress CVEs where admin-side features were bridged to AJAX/REST without nonces or with permissivepermission_callbacks. CVE-2025-11166 follows the same class: a REST-to-AJAX bridge that trusts inbound parameters and the browser session, and a GET endpoint that performs deletion with no authorization.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-11166, an attacker with no cookies:
POC:
Mass delete (anonymous GET) GET /wp-admin/admin-ajax.php?action=wpgmza_rest_api_request&route=/markers&action=remove-duplicates Delete one marker (CSRF, logged-in victim) POST /wp-admin/admin-ajax.php action=wpgmza_rest_api_request&route=/markers/42&simulateDelete=1 Create phishing marker (CSRF) POST /wp-admin/admin-ajax.php action=wpgmza_rest_api_request&route=/markers&map_id=1&lat=51.5&lng=-0.12&title=Official&link=https%3A%2F%2Fattacker.example&approved=1____
Content tampering / phishing: Attackers seed “official”-looking markers linking to credential harvesters, or relocate markers to mislead customers (e.g., store hours, pickup points).
Data destruction / DoS: Anonymous mass-delete lets anyone repeatedly purge markers (or geometry), forcing editors into constant rework and rendering maps unreliable.
Brand damage & SEO harm: Defaced maps and malicious links reduce user trust and may trigger search engine warnings.
Operational impact: Organizations relying on marker data (events, outlets, service areas) can see outages, customer support spikes, and revenue loss.
Privilege escalation chains: CSRF can be combined with other site features (e.g., file importers) to move toward broader compromise.
Recommendations for Improved Security
For the plugin vendor:
- Enforce CSRF nonces in the AJAX bridge (
wpgmza_rest_api_request) and all state-changing routes; requireX-WP-Noncefor REST calls. - Add strict
permission_callbackto each REST route; do not allow destructive actions via GET; use POST/DELETE with capability checks (edit_posts,manage_options, or a dedicated capability). - Reject unauthenticated access to any endpoint that changes server state; remove or harden mass-delete.
- Input validation & route allowlisting in the bridge—only forward specific, vetted operations.
- Defense in depth: Rate-limit destructive routes and log all delete operations with user and IP for audits.
For site owners:
Monitor map changes and configure alerts for marker/geometry deletions or bulk operations.
Update immediately to a patched version once available.
Deploy a WAF to block suspicious wpgmza_rest_api_request patterns and GET deletes.
Limit editor exposure to untrusted links (email, chat) to reduce CSRF risk; consider SameSite=strict for auth cookies where feasible.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-11166 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.