CVE-2025-11307: 
WordPress vulnerability analysis and mitigation

The WP Go Maps (formerly WP Google Maps) WordPress plugin before version 9.0.48 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on October 21, 2025, and was assigned CVE-2025-11307. The plugin fails to properly sanitize user input provided through an AJAX action, which affects websites using vulnerable versions of the plugin (WPScan).

The vulnerability stems from insufficient input sanitization in the AJAX functionality. Specifically, unauthenticated users can store XSS payloads via the 'wpgmzastorenominatimcache' AJAX action, which are later retrieved through another AJAX call ('wpgmzaquerynominatimcache') and output unescaped. The vulnerability has been assigned a CVSS score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Rapid7).

When exploited, this vulnerability allows unauthenticated attackers to store malicious JavaScript code that executes in the context of other users' browsers when they access the affected pages. This can lead to theft of sensitive information, session hijacking, or other client-side attacks against legitimate users of the website (Rapid7).

The vulnerability has been patched in version 9.0.48 of the WP Go Maps plugin. Website administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).