Description
Missing Authorization vulnerability in MiKa OSM osm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OSM: from n/a through <= 6.1.12.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows users to bypass intended security levels by incorrectly configuring access controls. Because the plugin does not enforce proper privileges, an attacker could potentially perform any action normally restricted to administrators, such as viewing or modifying sensitive content, executing plugin functions, or altering configuration settings. The weakness is classified as CWE‑862: Authorization Bypass Through Privileged Credentials, indicating that the problem lies in insufficient enforcement of user roles and permissions.

Affected Systems

The affected products are the MiKa OSM plugin for WordPress, in all releases from the initial version through version 6.1.12 inclusive. Any WordPress site deploying one of these plugin versions is potentially impacted. Users who have not upgraded beyond 6.1.12 are therefore exposed to the risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% signals a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented active exploitation. The likely attack vector is via the plugin interface, where an attacker with or without legitimate access could exploit insecure configuration settings to elevate privileges or execute unauthorized operations. Proper configuration or patching is required to mitigate this risk.

Generated by OpenCVE AI on April 16, 2026 at 00:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OSM plugin to the latest version (at least 6.1.13) released by MiKa.
  • If an upgrade is not immediately possible, restrict access to the plugin's administrative pages so that only authenticated administrators can view or modify them.
  • Replace the affected plugin with an alternative that implements proper role-based access control or remove the plugin entirely if it is not essential to site functionality.

Generated by OpenCVE AI on April 16, 2026 at 00:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mika
Mika osm
Wordpress
Wordpress wordpress
Vendors & Products Mika
Mika osm
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in MiKa OSM osm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OSM: from n/a through <= 6.1.12.
Title WordPress OSM plugin <= 6.1.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Mika Osm
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:54.877Z

Reserved: 2026-02-02T12:20:47.811Z

Link: CVE-2026-25323

cve-icon Vulnrichment

Updated: 2026-02-19T21:29:07.785Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:16.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses