CVE-2026-33559
Cross-Site Scripting in WordPress OpenStreetMap Plugin Allows Script Injection
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mika | openstreetmap | to 6.1.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33559 is a cross-site scripting (XSS) vulnerability in the WordPress plugin "OpenStreetMap" developed by MiKa. It affects versions prior to 6.1.15 of the plugin.
The vulnerability allows a logged-in user who has privileges to create or edit pages to embed malicious scripts through specially crafted HTTP requests.
When another user visits the compromised page, the malicious script executes in their web browser, potentially leading to unauthorized actions or data exposure.
How can this vulnerability impact me? :
This vulnerability can impact you if you have the affected WordPress plugin installed and a user with page creation or editing privileges embeds malicious scripts.
When other users visit the compromised pages, the embedded malicious scripts may execute in their browsers, which can lead to unauthorized actions or exposure of sensitive data.
The impact is limited to users with editing privileges being able to inject scripts and other users being exposed to these scripts when accessing the affected pages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a cross-site scripting (XSS) issue in the WordPress OpenStreetMap plugin where a logged-in user with page editing privileges can embed malicious scripts via crafted HTTP requests.
To detect this vulnerability on your system, you should check if the OpenStreetMap plugin version is prior to 6.1.15, as those versions are affected.
You can also monitor HTTP requests and page content for suspicious script injections, especially from users with page editing privileges.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation step is to update the OpenStreetMap WordPress plugin to version 6.1.15 or later, where this vulnerability has been fixed.
Additionally, restrict page creation and editing privileges to trusted users only, to reduce the risk of malicious script embedding.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the WordPress OpenStreetMap plugin allows a logged-in user with page editing privileges to embed malicious scripts that execute in other users' browsers. This cross-site scripting (XSS) flaw could lead to unauthorized actions or exposure of personal data if exploited.
Since the plugin handles GPX and KML file uploads that may contain personal data, improper handling or storage of these files (such as storing them in the plugin directory instead of the designated WordPress upload folder) could increase the risk of personal data exposure.
Such exposure or unauthorized access to personal data could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal information against unauthorized access or disclosure.
Therefore, this vulnerability may pose a compliance risk if exploited, especially in environments subject to strict data protection standards.