Plattform
wordpress
Komponente
svg-map-by-saedi
Behoben in
1.0.1
1.0.1
CVE-2025-13519 describes a Cross-Site Scripting (XSS) vulnerability affecting the SVG Map by Smjrifle plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts via forged requests, potentially compromising site administrator accounts and plugin data. The vulnerability impacts versions of the plugin up to and including 1.0.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13519 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement of the WordPress site, redirection to malicious websites, and theft of sensitive information. The vulnerability stems from insufficient nonce validation on AJAX actions like 'savedata', 'deletedata', and 'add_popup'. An attacker could craft a malicious link or form that, when clicked by a site administrator, would trigger these actions with forged parameters, injecting the attacker’s script. This is a particularly concerning attack vector because it requires only social engineering to trick an administrator, rather than exploiting a technical flaw in the WordPress core.
CVE-2025-13519 was publicly disclosed on 2026-01-06. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on CISA KEV. The vulnerability's reliance on social engineering suggests that exploitation may be targeted at specific WordPress installations with administrative access.
WordPress sites utilizing the SVG Map by Smjrifle plugin, particularly those with administrative accounts that are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if the plugin hasn't been updated.
• wordpress / composer / npm:
grep -r 'admin-ajax.php\?action=save_data' /var/www/html/wp-content/plugins/svg-map-by-smjrifle/• wordpress / composer / npm:
wp plugin list --status=inactive | grep svg-map-by-smjrifle• wordpress / composer / npm:
wp plugin list | grep svg-map-by-smjrifledisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2025-13519 is to cease using the plugin until a patched version is available. As a temporary workaround, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable AJAX endpoints ('/wp-admin/admin-ajax.php?action=savedata', '/wp-admin/admin-ajax.php?action=deletedata', '/wp-admin/admin-ajax.php?action=add_popup') that lack proper nonce validation. Carefully review any recent plugin updates or modifications for suspicious code. Monitor WordPress logs for unusual activity or attempts to access these endpoints. After a patched version is released, upgrade the plugin immediately and confirm the fix by attempting to trigger the vulnerable AJAX actions with manipulated parameters – they should now be rejected due to proper nonce validation.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13519 is an XSS vulnerability in the SVG Map by Smjrifle WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if you are using the SVG Map by Smjrifle plugin in versions 1.0.0 or earlier.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, implement a WAF rule to block vulnerable AJAX requests.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.