Platform
wordpress
Component
svg-map-by-saedi
Fixed in
1.0.1
1.0.1
CVE-2025-13519 describes a Cross-Site Scripting (XSS) vulnerability affecting the SVG Map by Smjrifle plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts via forged requests, potentially compromising site administrator accounts and plugin data. The vulnerability impacts versions of the plugin up to and including 1.0.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13519 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement of the WordPress site, redirection to malicious websites, and theft of sensitive information. The vulnerability stems from insufficient nonce validation on AJAX actions like 'savedata', 'deletedata', and 'add_popup'. An attacker could craft a malicious link or form that, when clicked by a site administrator, would trigger these actions with forged parameters, injecting the attacker’s script. This is a particularly concerning attack vector because it requires only social engineering to trick an administrator, rather than exploiting a technical flaw in the WordPress core.
CVE-2025-13519 was publicly disclosed on 2026-01-06. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on CISA KEV. The vulnerability's reliance on social engineering suggests that exploitation may be targeted at specific WordPress installations with administrative access.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-13519 is to cease using the plugin until a patched version is available. As a temporary workaround, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable AJAX endpoints ('/wp-admin/admin-ajax.php?action=savedata', '/wp-admin/admin-ajax.php?action=deletedata', '/wp-admin/admin-ajax.php?action=add_popup') that lack proper nonce validation. Carefully review any recent plugin updates or modifications for suspicious code. Monitor WordPress logs for unusual activity or attempts to access these endpoints. After a patched version is released, upgrade the plugin immediately and confirm the fix by attempting to trigger the vulnerable AJAX actions with manipulated parameters – they should now be rejected due to proper nonce validation.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13519 is an XSS vulnerability in the SVG Map by Smjrifle WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if you are using the SVG Map by Smjrifle plugin in versions 1.0.0 or earlier.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, implement a WAF rule to block vulnerable AJAX requests.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.