What the vulnerability does
01Description
The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps.
Explanation of Vulnerability in Simple Terms
02Summary
Multi Location Marker versions 1.2 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify data via network requests. The vulnerability does not expose sensitive information or disrupt service availability, but permits unauthorized changes to marker content or configuration. Site administrators should update to a version newer than 1.2.
What an attacker can do
03Attacker Capabilities
Modify marker data or settings without authentication.
Potential impact on your site
04Site Impact
Attackers can alter location markers, potentially defacing the map or corrupting location data.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated