Skip to main content

PT Norther Lights Production MapSVG EUVDEUVD-2025-17520

| CVE-2025-47561 HIGH
Incorrect Privilege Assignment (CWE-266)
2025-06-09 audit@patchstack.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:43 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
8.6.13
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17520
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG allows Privilege Escalation.This issue affects MapSVG: from n/a before 8.6.13.

AnalysisAI

CVE-2025-47561 is an Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG that allows authenticated users to escalate their privileges within the application. Affected versions are MapSVG prior to 8.6.13. An attacker with low-privilege login credentials can exploit this flaw to gain high-impact unauthorized access to sensitive data, modify critical information, and potentially disrupt service availability.

Technical ContextAI

This vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a root cause class where the application fails to properly validate or enforce privilege boundaries during access control decisions. MapSVG, a WordPress plugin/web application for creating interactive SVG maps, contains a logic flaw in its privilege assignment mechanism. The vulnerability likely exists in the authentication or authorization handler that determines user roles and permissions, allowing a low-privileged user (PR:L per CVSS vector) to access or perform actions reserved for higher-privileged roles. The network-accessible nature (AV:N) and low attack complexity (AC:L) suggest the flaw is in a readily accessible code path, possibly in API endpoints, role-checking functions, or permission validation routines that can be triggered without additional user interaction (UI:N).

RemediationAI

Immediate action: Update MapSVG to version 8.6.13 or later. This is a mandatory patch release. For WordPress installations: (1) Access WordPress admin panel → Plugins; (2) Locate MapSVG and click 'Update Now' if version < 8.6.13; (3) Verify successful upgrade by checking plugin version in Settings or plugin details. For manual installations, download MapSVG 8.6.13+ from the official PT Norther Lights repository and replace plugin files. Temporary mitigation (if immediate patching is not possible): Restrict plugin access via WordPress user roles—disable MapSVG functionality for non-administrative users until patched, or implement network-level IP whitelisting to limit access to trusted sources. Verification: After patching, audit user role assignments and conduct privilege escalation testing to confirm the flaw is resolved.

Share

EUVD-2025-17520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy