CVE-2025-32682 — AI Deep Analysis Summary

🚨 **Essence**: Arbitrary File Upload via REST API. <br>💥 **Consequences**: Attackers upload PHP scripts disguised as SVGs. Result: **Remote Code Execution (RCE)** on the server.…

🛡️ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). <br>🔍 **Flaw**: The plugin fails to validate file types when uploading SVG files via the REST API endpoint `/wp-json/mapsvg/v1/svgfile`.

📦 **Affected**: WordPress Plugin **MapSVG Lite**. <br>📅 **Versions**: **8.5.34 and earlier**. <br>🏢 **Vendor**: RomanCode.

👮 **Privileges**: Requires **Authenticated** access (Subscriber role or higher). <br>📂 **Data**: Full server control via uploaded Web Scripts (PHP). CVSS Score: **9.9 (Critical)**.

⚖️ **Threshold**: **Low** for authenticated users. <br>🔑 **Auth**: Yes, needs login (Subscriber+). <br>🌐 **Network**: Network-accessible (AV:N). <br>👁️ **UI**: None required (UI:N).

💣 **Public Exp?**: **YES**. <br>🔗 **PoC**: Available on GitHub (`Nxploited/CVE-2025-32682`). <br>📝 **Description**: Confirms arbitrary file upload via the specific REST endpoint.

🔍 **Self-Check**: Scan for installed **MapSVG Lite** plugin. <br>📊 **Version**: Check if version is **≤ 8.5.34**. <br>🛠️ **Tool**: Use WPScan or manual version check in WordPress dashboard.

🩹 **Official Fix**: **Yes**. <br>📌 **Action**: Update MapSVG Lite to the latest version. <br>🔗 **Ref**: Patchstack database confirms vulnerability details and fix availability.

🚧 **No Patch?**: **Disable** the plugin immediately. <br>🚫 **Block**: Restrict access to `/wp-json/mapsvg/v1/svgfile` endpoint via WAF. <br>🔒 **Verify**: Ensure no suspicious PHP files exist in upload directories.

🔥 **Urgency**: **CRITICAL**. <br>⏱️ **Priority**: **Immediate Action Required**. <br>📉 **Risk**: CVSS 9.9. Active PoC exists. High likelihood of exploitation by automated bots targeting authenticated users.