PatchSiren cyber security CVE debrief
CVE-2026-33559 MiKa CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the WordPress OpenStreetMap plugin by MiKa. The flaw allows authenticated users with page creation or editing privileges to embed malicious scripts via crafted HTTP requests. When victim users access the compromised page, the injected script executes in their browser context. The vulnerability carries a CVSS 4.0 score of 5.1 (MEDIUM severity) and was assigned CWE-79 for improper neutralization of input during web page generation. The issue was published to CVE on March 27, 2026, with the record last modified on May 19, 2026. JPCERT/CC coordinated disclosure through JVN, and the plugin's WordPress.org repository page is available for reference. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- MiKa
- Product
- OpenStreetMap
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-27
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-27
- Advisory updated
- 2026-05-19
Who should care
WordPress site administrators using the OpenStreetMap plugin; security teams managing content management system deployments; web application developers implementing map integration plugins; compliance officers tracking vulnerability disclosure timelines
Technical summary
The OpenStreetMap plugin for WordPress fails to properly sanitize user-supplied input when processing map shortcodes or configuration data during page editing operations. Authenticated users possessing the capability to create or edit posts and pages can supply crafted HTTP requests containing malicious JavaScript payloads. These payloads are persisted to the database and subsequently rendered without adequate output encoding when the page is viewed by other users. The vulnerability requires low attack complexity and network accessibility, with local user privileges and passive user interaction as prerequisites. Confidentiality and integrity impacts are rated low for the system, with no availability impact. The CVSS 4.0 environmental metrics remain unspecified in the source record.
Defensive priority
medium
Recommended defensive actions
- Update the OpenStreetMap WordPress plugin to a patched version once available from the WordPress.org plugin repository
- Review and restrict page creation and editing privileges to trusted administrative users only
- Implement Content Security Policy headers to mitigate impact of potential XSS payloads
- Conduct audit of existing page content for unauthorized script injections, particularly content modified by lower-privilege users
- Enable WordPress automatic plugin updates if organizational policy permits
- Monitor web application logs for anomalous page editing patterns or unexpected script tag insertion
Evidence notes
Vulnerability description sourced from NVD record with CVSS 4.0 vector. Vendor attribution to MiKa based on plugin authorship per WordPress.org repository. CWE-79 classification confirmed via NVD weaknesses field. JVN reference provides Japanese domestic coordination context.
Official resources
Coordinated disclosure via JPCERT/CC (JVN)