CVE-2025-47561

| EUVD-2025-17520 HIGH
2025-06-09 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17520
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.8

Tags

Privilege Escalation

Description

Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG allows Privilege Escalation.This issue affects MapSVG: from n/a before 8.6.13.

Analysis

CVE-2025-47561 is an Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG that allows authenticated users to escalate their privileges within the application. Affected versions are MapSVG prior to 8.6.13. An attacker with low-privilege login credentials can exploit this flaw to gain high-impact unauthorized access to sensitive data, modify critical information, and potentially disrupt service availability.

Technical Context

This vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a root cause class where the application fails to properly validate or enforce privilege boundaries during access control decisions. MapSVG, a WordPress plugin/web application for creating interactive SVG maps, contains a logic flaw in its privilege assignment mechanism. The vulnerability likely exists in the authentication or authorization handler that determines user roles and permissions, allowing a low-privileged user (PR:L per CVSS vector) to access or perform actions reserved for higher-privileged roles. The network-accessible nature (AV:N) and low attack complexity (AC:L) suggest the flaw is in a readily accessible code path, possibly in API endpoints, role-checking functions, or permission validation routines that can be triggered without additional user interaction (UI:N).

Affected Products

PT Norther Lights Production MapSVG versions prior to 8.6.13. Specific affected version range: MapSVG < 8.6.13. The plugin is commonly deployed in WordPress environments as both a free and premium offering. Estimated CPE would be similar to: cpe:2.3:a:pt_norther_lights:mapsvg:*:*:*:*:*:wordpress:*:* where version < 8.6.13. Organizations running MapSVG in multi-user WordPress installations, agency websites, or SaaS platforms with role-based access control are particularly at risk.

Remediation

Immediate action: Update MapSVG to version 8.6.13 or later. This is a mandatory patch release. For WordPress installations: (1) Access WordPress admin panel → Plugins; (2) Locate MapSVG and click 'Update Now' if version < 8.6.13; (3) Verify successful upgrade by checking plugin version in Settings or plugin details. For manual installations, download MapSVG 8.6.13+ from the official PT Norther Lights repository and replace plugin files. Temporary mitigation (if immediate patching is not possible): Restrict plugin access via WordPress user roles—disable MapSVG functionality for non-administrative users until patched, or implement network-level IP whitelisting to limit access to trusted sources. Verification: After patching, audit user role assignments and conduct privilege escalation testing to confirm the flaw is resolved.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-47561 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy