CVE-2019-1000003

HIGH

MapSVG Lite 3.2.3 - Cross-Site Request Forgery via mapsvg_save REST Endpoint

Title source: llm
STIX 2.1

Description

MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://advisories.dxw.com/advisories/csrf-mapsvg-lite/
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9198

Scores

CVSS v3 8.8
EPSS 0.0080
EPSS Percentile 52.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
mapsvg/mapsvg_lite 3.2.3
Published Feb 04, 2019
Tracked Since Feb 18, 2026