CVE-2025-11703: 
WordPress vulnerability analysis and mitigation

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in versions up to and including 9.0.48. This vulnerability was discovered by Dmitrii Ignatyev from CleanTalk Inc and was publicly disclosed on October 17, 2025. The vulnerability has been assigned CVE-2025-11703 with a CVSS v3.1 base score of 5.3 (Medium) (NVD).

The vulnerability stems from the plugin not properly serving cached data from server-side responses and instead relying on user-input for location search results. The issue is classified as CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data). The vulnerability has a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to poison the cache location for location search results. This could lead to users receiving incorrect or malicious location data when using the map's search functionality (NVD).

The vulnerability has been patched in version 9.0.49 of the WP Go Maps plugin. Users are advised to update to this version or later to mitigate the risk. The fix includes changes to the way the plugin handles cached data and implements proper server-side response validation (GitHub PR).