Description
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4.
Published: 2025-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE-2025-47559 vulnerability permits attackers to upload arbitrary files of dangerous types, such as PHP files, to a WordPress site running the MapSVG plugin before version 8.7.4. By uploading a web shell, an attacker could gain unrestricted code execution on the web server, potentially exfiltrating data, installing back‑doors, or pivoting to other systems. The weakness is identified as CWE‑434.

Affected Systems

The affected product is the WordPress MapSVG plugin developed by RomanCode, versions earlier than 8.7.4. This includes all releases from the first available version up to 8.7.3. Users running a WordPress site with this plugin installed and not yet upgraded are at risk.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. The EPSS score of less than 1% suggests a low current exploitation probability, but the existence in the public domain and the simplicity of the exploit elevate the risk. The KEV status is not listed. Attackers can exploit this weakness through normal user‑facing file upload interfaces; no special privileges are required, so the attack is trivial if the site allows anonymous uploads or the user has upload permissions. Once a malicious file is placed on the server, the attacker can execute it to take control of the server.

Generated by OpenCVE AI on April 30, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MapSVG plugin to version 8.7.4 or later, which removes the upload vulnerability.
  • If upgrading immediately is not possible, restrict upload permissions so that only administrators can add files to the plugin.
  • Configure the web server or application layer to reject or sandbox uploads of executable or PHP files, for example by using .htaccess rules or file‑type validation logic.

Generated by OpenCVE AI on April 30, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18540 Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server. This issue affects MapSVG: from n/a through 8.5.32.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server. This issue affects MapSVG: from n/a through 8.5.32. Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4.
Title WordPress MapSVG plugin <= 8.5.32 - Arbitrary File Upload vulnerability WordPress MapSVG plugin < 8.7.4 - Arbitrary File Upload vulnerability
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Tue, 17 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server. This issue affects MapSVG: from n/a through 8.5.32.
Title WordPress MapSVG plugin <= 8.5.32 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mapsvg Mapsvg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.933Z

Reserved: 2025-05-07T09:40:07.681Z

Link: CVE-2025-47559

cve-icon Vulnrichment

Updated: 2025-06-17T18:30:19.547Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:43.397

Modified: 2026-04-23T15:30:29.203

Link: CVE-2025-47559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:15:35Z

Weaknesses