CVE-2025-11999

MEDIUM 5.3

Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps.

CWE	CWE-862
Vendor	krishaweb
Product	multi location marker
Published	Nov 11, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for krishaweb multi location marker

Be the first to know when new medium vulnerabilities affecting krishaweb multi location marker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

krishaweb / Multi Location Marker

0 ≤ 1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3433258/

Credits

Hardik Patel