Description
The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-11
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open User Map PRO plugin for WordPress contains a stored cross‑site scripting flaw that can be exploited by submitting the "oum_location_notification" parameter in an unauthenticated request. The vulnerability allows arbitrary web scripts to be written to the database and executed whenever a user accesses a page that displays that data. Based on the description, it is inferred that these injected scripts could be used to alter content, steal user data, or otherwise compromise the site when visitors load the affected pages.

Affected Systems

The impacted product is the Open User Map PRO WordPress plugin from 100plugins, versions 1.4.31 and earlier.

Risk and Exploitability

Scored with a CVSS level of 4.7, the vulnerability does not currently appear in the CISA KEV catalog and its EPSS score is unavailable. The likely attack vector is via a public web interface, granting unauthenticated users the ability to inject scripts into stored data with no privilege escalation required. The risk level is moderate, but awareness of the vulnerability remains important as stored XSS can be leveraged for a range of destructive attacks.

Generated by OpenCVE AI on June 11, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Open User Map PRO plugin to version 1.4.32 or later to remove the affected input handler.
  • If an immediate update is not feasible, disable or remove the "oum_location_notification" feature by editing the plugin code or configuring it to reject unescaped input.
  • Deploy a content‑security policy that blocks inline scripts and disallows execution from untrusted sources to mitigate any remaining risk of XSS.

Generated by OpenCVE AI on June 11, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Open User Map PRO <= 1.4.31 - Unauthenticated Stored Cross-Site Scripting via 'oum_location_notification'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-11T01:27:56.479Z

Reserved: 2026-02-19T18:28:52.104Z

Link: CVE-2026-2827

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T02:16:42.967

Modified: 2026-06-11T02:16:42.967

Link: CVE-2026-2827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T04:00:04Z

Weaknesses