CVE-2025-68562 - Vulnerability Details

- WordPress MapSVG plugin <= 8.7.3 - Arbitrary File Upload vulnerability

Description

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.

Published: 2025-12-29

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Unrestricted upload of files of dangerous types in the RomanCode MapSVG plugin enables an attacker to place a web shell on the host web server. The vulnerability is a clear case of insecure file upload (CWE‑434), allowing arbitrary code execution once the malicious file is stored and subsequently accessed through the server. Successful exploitation would compromise confidentiality, integrity, and availability of the underlying WordPress site.

Affected Systems

All installations of the RomanCode MapSVG plugin with version 8.7.3 or earlier on WordPress sites are affected. The issue applies whenever the upload functionality of the plugin is enabled, regardless of specific WordPress configuration or other plugins.

Risk and Exploitability

The CVSS score of 9.9 marks this vulnerability as critical, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild to date. The plugin is not listed in the CISA KEV catalog, suggesting no widespread documented exploitation. The likely attack path is through the web interface that processes file uploads; an attacker can upload an arbitrary file of any type, bypassing type checks, and later invoke it to execute code on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

RomanCode

MapSVG

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 8.7.3

No data.

Vendor	Product	Confidence	Versions
Romancode	Mapsvg	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress MapSVG plugin to the latest available version (at least 8.7.4).

OpenCVE Recommended Actions

Update the MapSVG plugin to version 8.7.4 or newer.
If an upgrade cannot be performed immediately, disable or remove the plugin’s upload feature entirely.
Configure the web server or add .htaccess rules to prevent execution of files in the upload directory, thereby blocking potential web shells.

Generated by OpenCVE AI on April 29, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3.	Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
References		https://patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.	Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3.
References		https://patchstack.com/database/Wordpress/Plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve

Mon, 05 Jan 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Romancode Romancode mapsvg Wordpress Wordpress wordpress
Vendors & Products		Romancode Romancode mapsvg Wordpress Wordpress wordpress

Tue, 30 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 29 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
Title		WordPress MapSVG plugin <= 8.7.3 - Arbitrary File Upload vulnerability
Weaknesses		CWE-434
References		https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Romancode Mapsvg

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-29T21:13:24.913Z

Updated: 2026-04-28T16:14:30.369Z

Reserved: 2025-12-19T10:17:23.837Z

Link: CVE-2025-68562

Vulnrichment

Updated: 2025-12-30T15:49:04.949Z

NVD

Status : Deferred

Published: 2025-12-29T22:15:43.310

Modified: 2026-04-28T19:35:57.510

Link: CVE-2025-68562

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object