Over at our main business, we were recently cleaning up a hacked WordPress website. As part of that service, we run the plugins being used on the website through the same software we use to do proactive monitoring to catch serious vulnerabilities being introduced in to WordPress plugins. Through that we caught a couple of less serious vulnerabilities in the commercial plugin MapSVG. In line with our reasonable disclosure policy, we are disclosing the vulnerabilities as the developer hasn’t gotten back to us in a week since we notified them of the vulnerabilities (the developer never fixed a vulnerability we discovered in their free MapSVG Lite in 2019).

One of the vulnerabilities allows WordPress users with the edit_posts capability, which is normally users with the Contributor role and above, to upload arbitrary files to the website. [Read more]