Published:2026/03/27 Last Updated:2026/03/27
JVN#48058823
WordPress Plugin "OpenStreetMap" vulnerable to cross-site scripting
Overview
WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability.
Products Affected
- OpenStreetMap versions prior to 6.1.15
Description
WordPress Plugin "OpenStreetMap" provided by MiKa contains the following vulnerability.
- Cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2026-33559
Impact
On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request.
When a victim user accesses this page, the script may be executed in the user's web browser.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| MiKa | OSM – OpenStreetMap |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Naoya Takahashi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-33559 |
| JVN iPedia |
JVNDB-2026-000045 |