Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG allows Privilege Escalation.This issue affects MapSVG: from n/a before 8.6.13.
AnalysisAI
CVE-2025-47561 is an Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG that allows authenticated users to escalate their privileges within the application. Affected versions are MapSVG prior to 8.6.13. An attacker with low-privilege login credentials can exploit this flaw to gain high-impact unauthorized access to sensitive data, modify critical information, and potentially disrupt service availability.
Technical ContextAI
This vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a root cause class where the application fails to properly validate or enforce privilege boundaries during access control decisions. MapSVG, a WordPress plugin/web application for creating interactive SVG maps, contains a logic flaw in its privilege assignment mechanism. The vulnerability likely exists in the authentication or authorization handler that determines user roles and permissions, allowing a low-privileged user (PR:L per CVSS vector) to access or perform actions reserved for higher-privileged roles. The network-accessible nature (AV:N) and low attack complexity (AC:L) suggest the flaw is in a readily accessible code path, possibly in API endpoints, role-checking functions, or permission validation routines that can be triggered without additional user interaction (UI:N).
RemediationAI
Immediate action: Update MapSVG to version 8.6.13 or later. This is a mandatory patch release. For WordPress installations: (1) Access WordPress admin panel → Plugins; (2) Locate MapSVG and click 'Update Now' if version < 8.6.13; (3) Verify successful upgrade by checking plugin version in Settings or plugin details. For manual installations, download MapSVG 8.6.13+ from the official PT Norther Lights repository and replace plugin files. Temporary mitigation (if immediate patching is not possible): Restrict plugin access via WordPress user roles—disable MapSVG functionality for non-administrative users until patched, or implement network-level IP whitelisting to limit access to trusted sources. Verification: After patching, audit user role assignments and conduct privilege escalation testing to confirm the flaw is resolved.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17520