Login Sign Up

CVE-2024-9117

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Mapplic Lite WordPress plugin has a stored XSS vulnerability in all versions up to 1.0 that allows authenticated attackers with Author-level access to upload malicious SVG files containing JavaScript. When users view these SVG files, the malicious scripts execute in their browsers. This affects all WordPress sites using vulnerable versions of the Mapplic Lite plugin.

💻 Affected Systems

Products:
  • Mapplic Lite WordPress Plugin
Versions: All versions up to and including 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Mapplic Lite plugin enabled. Attackers need Author-level access or higher.

📦 What is this software?

Mapplic by Mapplic

View all CVEs affecting Mapplic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with Author accounts inject malicious scripts to steal user session cookies or credentials, potentially compromising user accounts.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to isolated user sessions without broader system compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once attacker has Author privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0

Vendor Advisory: https://wordpress.org/plugins/mapplic-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Mapplic Lite and click 'Update Now'. 4. Verify update to version after 1.0.

🔧 Temporary Workarounds

Disable SVG Uploads

all

Prevent SVG file uploads through WordPress media library

Add to wp-config.php: define('ALLOW_UNFILTERED_UPLOADS', false);
Add to functions.php: add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); return $mimes; });

Restrict User Roles

all

Limit Author and higher privileges to trusted users only

🧯 If You Can't Patch

  • Disable Mapplic Lite plugin immediately
  • Implement Content Security Policy headers to restrict script execution from uploaded files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Mapplic Lite version 1.0 or earlier

Check Version:

wp plugin list --name=mapplic-lite --field=version

Verify Fix Applied:

Verify Mapplic Lite plugin version is higher than 1.0 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads by Author-level users
  • Multiple failed login attempts followed by SVG uploads

Network Indicators:

  • Unexpected JavaScript execution from SVG file URLs
  • External calls from SVG file content

SIEM Query:

source="wordpress" AND (event="plugin_update" AND plugin="mapplic-lite") OR (event="file_upload" AND file_extension="svg")

📊 Metadata

CVE ID: CVE-2024-9117
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: September 26, 2024
Last Updated: October 1, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9117, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)