CVE-2019-1000003
HIGHMapSVG Lite 3.2.3 - Cross-Site Request Forgery via mapsvg_save REST Endpoint
Title source: llmDescription
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://advisories.dxw.com/advisories/csrf-mapsvg-lite/
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9198
Scores
CVSS v3
8.8
EPSS
0.0080
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
mapsvg/mapsvg_lite
3.2.3
Published
Feb 04, 2019
Tracked Since
Feb 18, 2026