Mapsvg
by WordPress
CVEs (16)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68562 | Cri | 0.64 | 9.9 | 0.00 | Dec 29, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3. | ||
| CVE-2025-47559 | Cri | 0.64 | 9.9 | 0.00 | Jun 17, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4. | ||
| CVE-2025-32682 | Cri | 0.64 | 9.9 | 0.00 | Apr 17, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4. | ||
| CVE-2025-54669 | Cri | 0.60 | 9.3 | 0.00 | Aug 14, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RomanCode MapSVG mapsvg allows SQL Injection.This issue affects MapSVG: from n/a through < 8.7.4. | ||
| CVE-2025-47561 | Hig | 0.57 | 8.8 | 0.00 | Jun 9, 2025 | Incorrect Privilege Assignment vulnerability in RomanCode MapSVG mapsvg allows Privilege Escalation.This issue affects MapSVG: from n/a through < 8.6.13. | ||
| CVE-2025-47558 | Hig | 0.49 | 7.5 | 0.00 | May 23, 2025 | Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MapSVG: from n/a through < 8.6.13. | ||
| CVE-2025-54748 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RomanCode MapSVG mapsvg allows Path Traversal.This issue affects MapSVG: from n/a through < 8.6.12. | ||
| CVE-2025-62930 | Med | 0.42 | 6.5 | 0.00 | Oct 27, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.22. | ||
| CVE-2024-9544 | Med | 0.42 | 6.4 | 0.00 | May 22, 2025 | The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level… | ||
| CVE-2025-47557 | Med | 0.42 | 6.5 | 0.00 | May 16, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg allows Stored XSS.This issue affects MapSVG: from n/a through <= 8.5.31. | ||
| CVE-2025-32683 | Med | 0.42 | 6.5 | 0.00 | Apr 9, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.6.6. | ||
| CVE-2025-47562 | Med | 0.34 | 5.3 | 0.00 | May 16, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34. | ||
| CVE-2025-47560 | Med | 0.33 | 5.0 | 0.00 | May 16, 2025 | Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through < 8.6.13. | ||
| CVE-2025-32684 | Med | 0.33 | 5.0 | 0.00 | Apr 9, 2025 | Missing Authorization vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through <= 8.6.4. | ||
| CVE-2022-0592 | 0.06 | — | 0.10 | May 9, 2022 | The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users. | |||
| CVE-2019-1000003 | 0.00 | — | 0.01 | Feb 4, 2019 | MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via… |
- risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
- risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4.
- risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RomanCode MapSVG mapsvg allows SQL Injection.This issue affects MapSVG: from n/a through < 8.7.4.
- risk 0.57cvss 8.8epss 0.00
Incorrect Privilege Assignment vulnerability in RomanCode MapSVG mapsvg allows Privilege Escalation.This issue affects MapSVG: from n/a through < 8.6.13.
- risk 0.49cvss 7.5epss 0.00
Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MapSVG: from n/a through < 8.6.13.
- risk 0.42cvss 6.5epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RomanCode MapSVG mapsvg allows Path Traversal.This issue affects MapSVG: from n/a through < 8.6.12.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.22.
- risk 0.42cvss 6.4epss 0.00
The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg allows Stored XSS.This issue affects MapSVG: from n/a through <= 8.5.31.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.6.6.
- risk 0.34cvss 5.3epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34.
- risk 0.33cvss 5.0epss 0.00
Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through < 8.6.13.
- risk 0.33cvss 5.0epss 0.00
Missing Authorization vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through <= 8.6.4.
- CVE-2022-0592May 9, 2022risk 0.06cvss —epss 0.10
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
- CVE-2019-1000003Feb 4, 2019risk 0.00cvss —epss 0.01
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via…