CVE-2021-25011: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-25011 affects the Maps Plugin using Google Maps for WordPress (gmap-embed) versions before 1.8.1. The vulnerability was discovered and publicly published on December 8, 2021. It involves improper authorization and CSRF (Cross-Site Request Forgery) issues in most of its AJAX actions (WPScan).

The vulnerability stems from missing authorization checks and CSRF protections in the plugin's AJAX actions. It has been assigned a CVSS score of 5.4 (medium) and is classified under CWE-862 (Missing Authorization) and OWASP Top 10 category A5: Broken Access Control. The vulnerability specifically affects the plugin's AJAX endpoints that handle post deletion and settings updates (WPScan).

The vulnerability allows any authenticated users, including those with low-privilege roles such as subscribers, to perform unauthorized actions including deleting arbitrary posts and updating the plugin's settings. This could lead to significant site content manipulation and potential disruption of the plugin's functionality (WPScan).

The vulnerability was fixed in version 1.8.1 of the plugin, which added proper authorization checks. However, it's worth noting that CSRF protections were still missing in this version and were addressed in a separate advisory. Users are advised to upgrade to version 1.8.1 or later to mitigate this vulnerability (WPScan, WordPress).