CVE-2026-2827

Vulnerability

The Open User Map PRO plugin for WordPress, versions up to and including 1.4.31, is vulnerable to Stored Cross-Site Scripting (XSS) via the 'oum_location_notification' parameter. This occurs due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary JavaScript or HTML in pages processed by the plugin [1]. The vulnerability affects the PRO version of the interactive map plugin that enables frontend submissions and location management.

Exploitation

An unauthenticated attacker can exploit this by submitting malicious content through the 'oum_location_notification' parameter during a location submission or update process. No authentication or elevated privileges are required. The injected script is stored on the server and executed whenever a user, including administrators, accesses the page containing the injected content. The attack does not require any user interaction apart from visiting the affected page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the script executes in the administrative context if an admin views the page, the attacker could potentially perform administrative actions on behalf of the victim. The impact is consistent with stored XSS vulnerabilities of medium severity (CVSS 4.7) [1].

Mitigation

As of the publication date (2026-06-11), no patched version has been released for Open User Map PRO. Users should monitor the plugin's official website [1] for updates and apply the fix as soon as it becomes available. In the interim, administrators can mitigate risk by restricting access to plugin pages, using a web application firewall (WAF) to block malicious input, or disabling the notification feature if possible. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of disclosure.