CVE-2021-25011

MEDIUM

WP Google Map < 1.8.1 - Authenticated Missing Authorization and CSRF in AJAX Actions

Title source: llm
STIX 2.1

Description

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/6639da0d-6d29-46c1-a3cc-5e5626305833
Release Notes, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2641450

Scores

CVSS v3 5.7
EPSS 0.0042
EPSS Percentile 33.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
wpgooglemap/wp_google_map < 1.8.1
Published Feb 28, 2022
Tracked Since Feb 18, 2026