CVE-2026-4429 - Vulnerability Details

- OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute

Description

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-04-09

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The OSM – OpenStreetMap plugin for WordPress contains a stored Cross‑Site Scripting flaw in the marker_name and file_color_list attributes of the [osm_map_v3] shortcode. Because the plugin fails to sanitize or escape these inputs, an authenticated user with Contributor level access or higher can insert arbitrary JavaScript that will run in the browsers of anyone who views a page containing the injected shortcode. This vulnerability permits attackers to execute client‑side code in the context of the site, enabling session hijacking, defacement, or the delivery of additional malicious payloads.

Affected Systems

WordPress installations that use the OSM – OpenStreetMap plugin, versions up to and including 6.1.15. Sites that have installed this plugin and grant Contributor or higher privileges to users are vulnerable. The vulnerability is specific to the plugin's handling of the [osm_map_v3] shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Contributor or better, making the attack vector internal. Once a shortcode is injected, the stored payload remains until the content is edited or the plugin is updated. Because the threat relies on user privileges, sites that limit Contributor access or use the latest version are less exposed. Nonetheless, if an attacker compromises a contributor account, the risk is significant for the affected website.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

photoweblog

OSM – OpenStreetMap

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.1.15

No data.

Vendor Product Confidence Versions

Photoweblog

Osm – Openstreetmap

100%

Version	Status	Scheme	Platform
`[0,6.1.15]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the OSM – OpenStreetMap plugin to the latest version (6.1.16 or newer).
If an upgrade is not immediately possible, disable the [osm_map_v3] shortcode or remove the plugin until an updated version is available.
Verify that only trusted users hold Contributor or higher roles and consider tightening role permissions.
Run a site‑wide scan for evidence of injected scripts in existing posts or pages.

Generated by OpenCVE AI on April 9, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L347
https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L356
https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L31
https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L560
https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L347
https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L356
https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L31
https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L560
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493950%40osm&new=3493950%40osm&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/65dffde9-2a50-41fe-bc21-3d0915068887?source=cve

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Photoweblog Photoweblog osm – Openstreetmap Wordpress Wordpress wordpress
Vendors & Products		Photoweblog Photoweblog osm – Openstreetmap Wordpress Wordpress wordpress

Thu, 09 Apr 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L347 https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L356 https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L31 https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L560 https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L347 https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L356 https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L31 https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L560 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493950%40osm&new=3493950%40osm&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/65dffde9-2a50-41fe-bc21-3d0915068887?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Photoweblog Osm – Openstreetmap

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-09T02:25:05.932Z

Updated: 2026-04-09T02:25:05.932Z

Reserved: 2026-03-19T14:07:21.421Z

Link: CVE-2026-4429

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T04:17:14.640

Modified: 2026-04-09T04:17:14.640

Link: CVE-2026-4429

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object