CVE-2026-33559
Deferred Deferred - Pending Action
Cross-Site Scripting in WordPress OpenStreetMap Plugin Allows Script Injection

Publication date: 2026-03-27

Last updated on: 2026-05-19

Assigner: JPCERT/CC

Description
WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33559
EUVD
EUVD-2026-16553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mika openstreetmap to 6.1.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33559 is a cross-site scripting (XSS) vulnerability in the WordPress plugin "OpenStreetMap" developed by MiKa. It affects versions prior to 6.1.15 of the plugin.

The vulnerability allows a logged-in user who has privileges to create or edit pages to embed malicious scripts through specially crafted HTTP requests.

When another user visits the compromised page, the malicious script executes in their web browser, potentially leading to unauthorized actions or data exposure.

Impact Analysis

This vulnerability can impact you if you have the affected WordPress plugin installed and a user with page creation or editing privileges embeds malicious scripts.

When other users visit the compromised pages, the embedded malicious scripts may execute in their browsers, which can lead to unauthorized actions or exposure of sensitive data.

The impact is limited to users with editing privileges being able to inject scripts and other users being exposed to these scripts when accessing the affected pages.

Detection Guidance

This vulnerability involves a cross-site scripting (XSS) issue in the WordPress OpenStreetMap plugin where a logged-in user with page editing privileges can embed malicious scripts via crafted HTTP requests.

To detect this vulnerability on your system, you should check if the OpenStreetMap plugin version is prior to 6.1.15, as those versions are affected.

You can also monitor HTTP requests and page content for suspicious script injections, especially from users with page editing privileges.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The recommended immediate mitigation step is to update the OpenStreetMap WordPress plugin to version 6.1.15 or later, where this vulnerability has been fixed.

Additionally, restrict page creation and editing privileges to trusted users only, to reduce the risk of malicious script embedding.

Compliance Impact

The vulnerability in the WordPress OpenStreetMap plugin allows a logged-in user with page editing privileges to embed malicious scripts that execute in other users' browsers. This cross-site scripting (XSS) flaw could lead to unauthorized actions or exposure of personal data if exploited.

Since the plugin handles GPX and KML file uploads that may contain personal data, improper handling or storage of these files (such as storing them in the plugin directory instead of the designated WordPress upload folder) could increase the risk of personal data exposure.

Such exposure or unauthorized access to personal data could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal information against unauthorized access or disclosure.

Therefore, this vulnerability may pose a compliance risk if exploited, especially in environments subject to strict data protection standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart