CVE-2025-11365
📋 TL;DR
This vulnerability allows authenticated attackers with Contributor-level access or higher to perform blind SQL injection attacks via the 'id' parameter in the WP Google Map Plugin's shortcode. Attackers can extract sensitive information from the database by injecting malicious SQL queries. All WordPress sites using this plugin up to version 1.0 are affected.
💻 Affected Systems
- WP Google Map Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, sensitive content, and potentially privilege escalation to administrative access.
Likely Case
Extraction of sensitive data like user emails, hashed passwords, and private content from the database.
If Mitigated
Limited impact if proper access controls and input validation are in place, though SQL injection remains possible.
🎯 Exploit Status
Requires authenticated access and knowledge of SQL injection techniques. Blind SQL injection requires more sophisticated exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0 (check WordPress plugin repository for latest)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-google-map/trunk/shortcode.php#L8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Google Map Plugin'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin immediately.
🔧 Temporary Workarounds
Remove vulnerable shortcode usage
allTemporarily remove or disable any usage of the 'google_map' shortcode in posts/pages until patched.
🧯 If You Can't Patch
- Remove Contributor and higher access from untrusted users
- Implement web application firewall (WAF) with SQL injection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'WP Google Map Plugin' version 1.0 or earlier.Check Version:
wp plugin list --name='wp-google-map' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is greater than 1.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL-like patterns in requests
Network Indicators:
- HTTP POST/GET requests with SQL injection patterns in 'id' parameter to WordPress endpoints
SIEM Query:
web.url:*google_map* AND (web.query:*id=* OR web.query:*id%*) AND web.query:*(SELECT|UNION|INSERT|UPDATE|DELETE|DROP|OR|AND)*