If you were already using our service you would know that the plugin MapSVG Lite isn’t secure as there was unfixed vulnerability disclosed at the beginning of the year. If you were relying on other data sources there is good chance you wouldn’t know that since the ultimate source of a lot of those, the WPScan Vulnerability Database, claims that it was fixed:
The plugin MapSVG Lite got flagged by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and when went to look into what was identified by that we found that the plugin was closed on the WordPress Plugin Directory yesterday. That appears to have happened due to a security issue, but a different one than our monitoring picked.
…
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin MapSVG Lite. This vulnerability could allow an attacker that had access to a WordPress account to upload arbitrary files to the website. It also could allow an attacker that could get a user logged in to visit a URL the attacker controls, to exploit the vulnerability as well.
Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately). [Read more]
