CVE-2025-11307
HIGH EXPLOITED NUCLEIWP Go Maps < 9.0.48 - Unauthenticated Stored Cross-Site Scripting via AJAX Action
Title source: llmExploitation Summary
CVE-2025-11307 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
Nuclei Templates (1)
WP Google Maps < 9.0.48 - Cross-Site Scripting
HIGHVERIFIEDby 0x_Akoko
Shodan:
http.html:"wp-google-maps"
FOFA:
body="wp-google-maps"
References (1)
Core 1
Core References
Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/
Scores
CVSS v3
8.8
EPSS
0.0473
EPSS Percentile
89.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2026-05-04
Status
published
Products (1)
Unknown/WP Go Maps (formerly WP Google Maps)
< 9.0.48
Published
Nov 11, 2025
Tracked Since
Feb 18, 2026