Add CVE-2012-10018 detection template

[KrE80r]

/claim 14478

Summary

Adds nuclei template for detecting CVE-2012-10018 (WordPress Mapplic/Mapplic Lite Stored XSS via SVG file upload).

Vulnerable environment shared privately

Testing

• Syntax validation: passed
• Manual testing: passed

Test Evidence

Validated against WordPress 5.5 + Mapplic Lite 1.0 in Docker environment (shared privately).

[DhiyaneshGeek]

Hi @KrE80r

i don't see any XSS being triggered, i request you to update the POC accordingly.

[KrE80r]

Thanks @DhiyaneshGeek for the feedback.

You're right - the original template only proved URL injection, not actual XSS execution.

I've added:

• headless/cves/2012/CVE-2012-10018.yaml - uses waitdialog to detect JavaScript alert
• helpers/payloads/CVE-2012-10018.svg - XSS payload hosted in repo

To test:

nuclei -t headless/cves/2012/CVE-2012-10018.yaml -u http://target \
    -var username=admin -var password=admin -headless

The template references the SVG from raw.githubusercontent.com once merged, making it plug-and-play.
The HTTP template detects the injection vector. The headless template confirms XSS execution.

[DhiyaneshGeek]

Hi @KrE80r

Kindly update the template only with HTTP protocol only and remove the headless

Also add matcher for each of the request with flow condition.

[KrE80r]

@DhiyaneshGeek done updated the PR

[DhiyaneshGeek]

Hi @KrE80r

Kindly use this as reference https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1029.yaml

you should be using internal: true

Hope this helps

[KrE80r]

thanks @DhiyaneshGeek added

[DhiyaneshGeek]

Hi @KrE80r

• cookie-reuse is depreciated
• use DSL matcher on all request

kindly update the same

If the XSS is not triggered the submission will not be accepted

Thanks

[KrE80r]

Thank you @DhiyaneshGeek for the feedback. I've updated the template to:

• Remove deprecated cookie-reuse
• Use DSL matchers on all requests
• Add internal: true on intermediate steps

Regarding XSS trigger detection:

The original CVE describes a specific attack chain: an authenticated user injects an arbitrary URL pointing to a remote SVG file. When the map is viewed, jQuery .load() fetches that SVG and inserts it into the DOM, executing any embedded JavaScript.

To properly detect this vulnerability, the template would need to:

1. Inject a URL (e.g., http://attacker.com/malicious.svg)
2. Have a browser fetch and render the SVG
3. Verify JS execution

This requires headless mode since HTTP-only templates cannot simulate browser behavior (fetching external SVG, DOM insertion, script execution).

The current HTTP-only template demonstrates stored XSS via the mapplic-mapdata title field (payload reflected in response), which proves unsanitized input handling but tests a different vector than the CVE describes.

Question: Is there an acceptable approach for this CVE within HTTP-only constraints, or would a headless template be more appropriate here? I want to ensure the template accurately represents the vulnerability.

[DhiyaneshGeek]

Hi @KrE80r

i have validated locally

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.6.2

		projectdiscovery.io

[INF] Current nuclei version: v3.6.2 (latest)
[INF] Current nuclei-templates version: v10.3.6 (latest)
[INF] New templates added in latest release: 176
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2012-10018] WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload (@kre80r) [high]
[CVE-2012-10018] [http] [high] http://0.0.0.0:8088/wp-admin/post.php?post=15&action=edit