Vulnerability Details : CVE-2019-1000003
Potential exploit
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2019-1000003
- cpe:2.3:a:mapsvg:mapsvg_lite:3.2.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1000003
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1000003
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-1000003
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-1000003
-
https://advisories.dxw.com/advisories/csrf-mapsvg-lite/
CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can – dxw advisoriesThird Party Advisory
-
https://wpvulndb.com/vulnerabilities/9198
MapSVG Lite - Cross-Site Request Forgery (CSRF)Exploit;Third Party Advisory
Jump to