Description
WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.
Published: 2026-03-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting that can execute arbitrary scripts in victims’ browsers
Action: Patch Immediately
AI Analysis

Impact

The affected WordPress OpenStreetMap plug-in, supplied by MiKa, contains an XSS flaw that lets a logged-in editor inject malicious JavaScript into a page via a crafted HTTP request. When an ordinary visitor opens that page the code runs in the visitor’s browser, permitting cookie theft, session hijacking, or other client-side attacks.

Affected Systems

This issue impacts sites that use MiKa’s OpenStreetMap plug-in for WordPress. No specific version numbers are listed, so any installation that has not applied recent updates is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates medium severity. Exploit probability data is not provided, and the vulnerability is not in CISA’s KEV list. The likely attack vector is remote via the web interface, but it requires the attacker to first be a legitimate editor or to trick a user into submitting a crafted request. Once the malicious fragment is saved, it is executed automatically for any page viewer.

Generated by OpenCVE AI on March 27, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenStreetMap plug-in to the latest version published by MiKa.
  • If no update is available, disable the plug-in on the production site.
  • Restrict page-editing permissions to trusted administrators until a patch is applied.
  • Verify that the plug-in’s input is properly sanitized before publishing pages.
  • Keep WordPress core and other plugins up to date to reduce overall attack surface.

Generated by OpenCVE AI on March 27, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title XSS Vulnerability in WordPress OpenStreetMap Plugin Allows Script Injection

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mika
Mika openstreetmap
Wordpress
Wordpress wordpress
Vendors & Products Mika
Mika openstreetmap
Wordpress
Wordpress wordpress

Fri, 27 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mika Openstreetmap
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-03-27T04:56:41.153Z

Reserved: 2026-03-23T05:27:00.138Z

Link: CVE-2026-33559

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T06:16:39.160

Modified: 2026-03-27T06:16:39.160

Link: CVE-2026-33559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:17Z

Weaknesses