CVE-2025-11365: 
WordPress vulnerability analysis and mitigation

The WP Google Map Plugin for WordPress (versions up to 1.0) contains a blind SQL Injection vulnerability identified as CVE-2025-11365. The vulnerability was discovered and disclosed on October 15, 2025, affecting the 'id' parameter of the 'google_map' shortcode. This security issue impacts WordPress installations with the WP Google Map Plugin installed (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the 'id' parameter of the 'google_map' shortcode. The issue has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD, Patchstack).

The vulnerability allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing queries. This can be exploited to extract sensitive information from the database, potentially compromising the security and confidentiality of the WordPress installation (NVD).

As of the disclosure date, no official fix has been released for this vulnerability. Website administrators running affected versions of the WP Google Map Plugin should consider disabling the plugin until a patch is available (Patchstack).