WP Go Maps Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WP Go Maps (formerly WP Google Maps) plugin for WordPress, affecting all versions through 9.0.46. The vulnerability arises because the plugin exposes state-changing REST actions via an AJAX bridge without adequate CSRF token validation. Additionally, destructive actions can be accessed through GET requests lacking proper permission callbacks. This flaw enables unauthenticated attackers to manipulate logged-in administrators into altering or deleting markers and geometry features. Furthermore, anonymous users can exploit unsafe GET requests to mass delete markers.

Impact

Exploitation allows for unauthorized actions to be performed on behalf of logged-in administrators, including the creation, modification, or deletion of markers and geometry features. Additionally, it enables anonymous users to trigger mass deletions of markers.

Reproduction

To reproduce this vulnerability, send a GET request to one of the vulnerable REST endpoints without the required CSRF token. This can be done by an unauthenticated user, taking advantage of the missing permission checks on GET requests.

Remediation

Users are advised to update the WP Go Maps plugin to version 9.0.47 or later.