CVE-2025-54748 is a path traversal vulnerability affecting RomanCode's MapSVG plugin versions before 8.6.12. The flaw arises from improper limitation of pathname inputs, allowing an attacker to traverse directories outside the intended restricted directory. This enables unauthorized reading of arbitrary files on the server hosting the plugin. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 6.5, reflecting a medium severity primarily due to high confidentiality impact (C:H) but no impact on integrity or availability (I:N, A:N). The vulnerability could be leveraged to access sensitive configuration files, credentials, or other data stored on the server, potentially leading to further attacks. No public exploits are currently known, but the issue is publicly disclosed and patched in version 8.6.12. The plugin is commonly used in WordPress environments for interactive mapping and data visualization, making it a target for attackers seeking to gain information from vulnerable web servers.

For European organizations, this vulnerability poses a significant confidentiality risk as attackers can access sensitive files on servers running vulnerable versions of MapSVG. This could lead to exposure of credentials, configuration files, or proprietary data, potentially facilitating further compromise or data breaches. Organizations relying on MapSVG for public-facing websites or internal applications may face reputational damage and regulatory consequences under GDPR if personal data is exposed. The lack of impact on integrity and availability limits the immediate operational disruption, but the confidentiality breach alone is critical for compliance and trust. Attackers exploiting this vulnerability remotely without user interaction increases the risk of automated scanning and exploitation campaigns targeting European web infrastructure.

The primary mitigation is to update RomanCode MapSVG to version 8.6.12 or later, where this vulnerability is patched. Organizations should audit their WordPress environments to identify installations of MapSVG and verify plugin versions. Restricting file system permissions to limit the plugin's access to only necessary directories can reduce exploitation impact. Implementing web application firewalls (WAFs) with rules to detect and block path traversal attempts can provide additional protection. Regular monitoring of server logs for unusual file access patterns or directory traversal attempts is recommended. Additionally, organizations should ensure that sensitive files are stored outside web root directories and inaccessible to web applications where possible. Conducting vulnerability scans and penetration tests focusing on path traversal vectors will help validate mitigation effectiveness.