CVE-2026-33559

What the vulnerability is

The WordPress plugin "OpenStreetMap" (OSM) provided by MiKa is vulnerable to cross-site scripting (XSS). The flaw, officially identified as CVE-2026-33559 and categorized under CWE-79, allows a logged-in user with page-creating or page-editing privileges to inject arbitrary web scripts. The vulnerability exists because the plugin does not properly neutralize user-supplied input during page creation or editing, enabling crafted HTTP requests to embed malicious code.

How it is exploited

To exploit this vulnerability, an attacker must first have an account on a WordPress site with at least author-level permissions (i.e., the ability to create or edit pages). No additional authentication is required beyond the standard WordPress session. The attacker sends a specially crafted HTTP request while editing a page that contains the plugin's shortcode or other user-controlled parameters. When the page is saved and later viewed by another user (e.g., a visitor or an administrator), the injected script executes in the context of the victim's browser session.

Impact

Successful exploitation results in the execution of an attacker-controlled script within the victim's browser. This can lead to a range of typical XSS impacts, such as session hijacking, phishing attacks, defacement, or the exfiltration of sensitive data (including cookies or authentication tokens). The CVSS v3.0 base score is 5.4 (Medium), with a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating low impact on confidentiality and integrity, and no direct impact on availability [2].

Mitigation

The vulnerability affects OpenStreetMap versions prior to 6.1.15. Users are advised to update the plugin to the latest version as provided by the developer on the WordPress plugin repository [1][2]. There is no known workaround; the recommended solution is to apply the security update immediately. No evidence exists that this vulnerability has been exploited in the wild at the time of publication.