Description
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
Published: 2025-04-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can upload a file of any type to the WordPress site through the MapSVG Lite plugin. The plugin performs no validation and allows a malicious web shell to be stored on the server. An uploaded shell can be executed on the web server, granting the attacker complete control over the compromised site. This vulnerability qualifies as a remote code execution flaw (CWE-434) and can lead to full compromise of the affected WordPress installation.

Affected Systems

Organizations using RomanCode's MapSVG Lite plugin for WordPress, any version up to and including 8.6.4, are affected. No specific version range beyond the maximum is listed, so all releases from the plugin’s initial release through 8.6.4 are vulnerable. The issue is tied to the mapsvg-lite-interactive-vector-maps component of the MapSVG suite.

Risk and Exploitability

The CVSS score of 9.9 signals maximum severity. The EPSS score indicates a very low but non-zero exploitation probability at present. The vulnerability is not yet cataloged in the CISA KEV list, suggesting it has not been widely observed in the wild. In practice, an attacker could exploit this flaw by simply uploading a crafted file via the plugin’s public interface, assuming the site has the vulnerable version and the attacker can access the file upload functionality. Once the file resides on the server, execution is achieved if the file is reachable by the web server, a common scenario for web shells.

Generated by OpenCVE AI on April 30, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest MapSVG Lite plugin (version 8.6.5 or newer) immediately.
  • If an upgrade is not yet possible, disable the plugin’s file upload feature from WordPress admin or block the /wp-content/uploads/mapsvg directory with web server rules.
  • Ensure that any uploader directories are configured with restrictive permissions so that uploaded files cannot be executed.
  • Monitor web server logs for unusual file uploads or execution attempts.

Generated by OpenCVE AI on April 30, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11734 Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server. This issue affects MapSVG Lite: from n/a through 8.5.34.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server. This issue affects MapSVG Lite: from n/a through 8.5.34. Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
Title WordPress MapSVG Lite plugin <= 8.5.34 - Arbitrary File Upload Vulnerability WordPress MapSVG Lite plugin <= 8.6.4 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server. This issue affects MapSVG Lite: from n/a through 8.5.34.
Title WordPress MapSVG Lite plugin <= 8.5.34 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.972Z

Reserved: 2025-04-09T11:21:24.366Z

Link: CVE-2025-32682

cve-icon Vulnrichment

Updated: 2025-04-17T17:41:27.795Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:50.623

Modified: 2026-04-23T15:29:20.563

Link: CVE-2025-32682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses