The smjrifle SVG Map Plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13519. This vulnerability exists in all versions up to and including 1.0.0 due to missing or incorrect nonce validation on several AJAX endpoints, specifically 'save_data', 'delete_data', and 'add_popup'. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. The absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), can alter plugin settings, delete map data, or inject malicious scripts into the site. This attack vector does not require the attacker to be authenticated but does require user interaction from a privileged user. The vulnerability impacts the confidentiality and integrity of the affected WordPress site by enabling unauthorized data manipulation and potential script injection, which could lead to further compromise. The CVSS 3.1 base score of 6.1 reflects medium severity, considering the network attack vector, no privileges required, user interaction needed, and partial impact on confidentiality and integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in November 2025 and published in January 2026 by Wordfence. Given the plugin’s usage in WordPress environments, this vulnerability presents a tangible risk to websites relying on the SVG Map Plugin for interactive map features.

The primary impact of CVE-2025-13519 is unauthorized modification of plugin settings and deletion of map data, which compromises data integrity. Additionally, the ability to inject malicious scripts can lead to further attacks such as persistent cross-site scripting (XSS), potentially compromising user sessions or redirecting users to malicious sites, thereby affecting confidentiality. While availability is not directly impacted, the loss or alteration of map data could degrade user experience and trust. Organizations running WordPress sites with this plugin are at risk of administrative account misuse if an attacker successfully tricks an administrator into executing malicious requests. This can lead to reputational damage, data loss, and increased attack surface for subsequent exploitation. The vulnerability’s requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high administrative traffic or where phishing attacks are common. The absence of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

To mitigate CVE-2025-13519, organizations should first verify if they use the smjrifle SVG Map Plugin and identify the version in use. Since no official patches are currently linked, immediate mitigation involves implementing manual nonce validation on all AJAX actions within the plugin code, ensuring that each request includes a valid nonce checked against the current user session. Administrators should be trained to avoid clicking on suspicious links and to verify the legitimacy of requests that trigger plugin actions. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable endpoints can reduce risk. Additionally, limiting administrative access to trusted IP addresses and enforcing multi-factor authentication (MFA) for admin accounts can help prevent unauthorized actions even if CSRF attempts occur. Monitoring logs for unusual plugin activity and setting up alerts for changes in map data or plugin settings can provide early detection of exploitation attempts. Finally, maintain regular backups of website data to enable recovery in case of data deletion or corruption.