Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server. This issue affects MapSVG: from n/a through 8.5.32.
AnalysisAI
CVE-2025-47559 is an unrestricted file upload vulnerability in RomanCode MapSVG that allows authenticated users to upload and execute arbitrary web shells on affected servers. The vulnerability impacts MapSVG versions through 8.5.32, enabling attackers with valid login credentials to achieve complete system compromise (confidentiality, integrity, and availability). With a CVSS score of 9.9 and active exploitation risk indicated by the low attack complexity and widespread impact potential, this represents a critical threat to MapSVG deployments.
Technical ContextAI
MapSVG is a WordPress plugin/web application library that handles SVG map creation and manipulation. The vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a common file upload validation flaw where the application fails to properly restrict file types during upload operations. The root cause involves insufficient validation of file extensions, MIME types, or content inspection before accepting uploaded files. This allows attackers to bypass security controls and upload executable code (web shells in PHP, JSP, ASP.NET, etc.) that the web server will interpret and execute with the privileges of the web application. The affected CPE would be represented as cpe:2.3:a:romancode:mapsvg:*:*:*:*:*:wordpress:*:* with versions 8.5.32 and earlier being vulnerable.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18540