CVE-2026-4429: OSM OpenStreetMap WordPress XSS Flaw

CVE-2026-4429 Overview

CVE-2026-4429 is a Stored Cross-Site Scripting (XSS) vulnerability in the OSM – OpenStreetMap plugin for WordPress. The flaw affects all versions up to and including 6.1.15. It resides in the marker_name and file_color_list shortcode attributes of the [osm_map_v3] shortcode. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. The injected scripts execute in the browser of any user who views an affected page, leading to session theft, content defacement, or further account compromise. The vulnerability is tracked under [CWE-79].

Critical Impact

Authenticated Contributor-level users can persist JavaScript payloads that execute against site visitors and administrators, enabling session hijacking and privilege escalation pivots.

Affected Products

• OSM – OpenStreetMap plugin for WordPress, versions up to and including 6.1.15
• WordPress sites using the [osm_map_v3] shortcode
• Any WordPress instance permitting Contributor-level account registration with the plugin installed

Discovery Timeline

• 2026-04-09 - CVE-2026-4429 published to NVD
• 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-4429

Vulnerability Analysis

The OSM – OpenStreetMap plugin renders interactive maps in WordPress pages and posts through the [osm_map_v3] shortcode. The shortcode accepts user-controlled attributes, including marker_name and file_color_list, which the plugin processes and reflects into rendered HTML output. The plugin fails to sanitize these attributes on input and does not apply context-appropriate escaping on output. As a result, attacker-supplied markup persists in post content and executes when any user loads the affected page.

The relevant code paths reside in osm-icon-class.php and osm_map_v3/osm-sc-osm_map_v3.php, as documented in the WordPress Plugin Source and the Wordfence Vulnerability Report. The fix is committed in WordPress Plugin Changeset 3493950.

Root Cause

The root cause is missing input sanitization on the marker_name and file_color_list shortcode attributes combined with absent output escaping when the values are written into the page DOM. WordPress provides sanitize_text_field() and esc_attr() / esc_html() helpers for these contexts, but the affected code paths use the raw attribute values directly.

Attack Vector

An attacker authenticates to WordPress with a Contributor account or higher. The attacker creates or edits a post that embeds the [osm_map_v3] shortcode and supplies a malicious payload through marker_name or file_color_list. The payload is stored in the post content. When an editor, administrator, or site visitor renders the page, the script executes in the victim's browser session under the site's origin. Because the scope is changed (S:C), the attacker can impact resources beyond the security context of the vulnerable component, such as exfiltrating administrative session cookies.

No verified public exploit code is available. The vulnerability mechanism follows the standard stored XSS pattern documented in the references above.

Detection Methods for CVE-2026-4429

Indicators of Compromise

• Post or page records in wp_posts containing [osm_map_v3] shortcode attributes with <script>, onerror=, onload=, or javascript: tokens
• Unexpected outbound requests from administrator browsers to attacker-controlled domains following access to plugin-rendered pages
• New or modified WordPress user accounts following an administrator's visit to a page rendered by the plugin
• Suspicious revisions authored by Contributor-level accounts containing the affected shortcode

Detection Strategies

• Audit the WordPress database for [osm_map_v3] shortcode usage and inspect marker_name and file_color_list attribute values for HTML or JavaScript tokens
• Review post revision history for Contributor-authored edits introducing the shortcode
• Deploy a web application firewall (WAF) signature that blocks shortcode attributes containing event handler attributes or <script> fragments

Monitoring Recommendations

• Log and alert on Contributor or Author role activity that creates or modifies posts containing the affected shortcode
• Monitor administrator browser sessions for anomalous JavaScript-triggered requests after viewing plugin-rendered pages
• Forward WordPress audit logs to a centralized SIEM and correlate post edits with subsequent privileged actions

How to Mitigate CVE-2026-4429

Immediate Actions Required

• Update the OSM – OpenStreetMap plugin to the version released after 6.1.15 that contains the fix from changeset 3493950
• Review all existing posts using [osm_map_v3] and remove suspicious marker_name or file_color_list values
• Audit Contributor and Author accounts and revoke any accounts that should not have publishing rights

Patch Information

The vendor addressed the vulnerability in the version following 6.1.15. The fix introduces sanitization and escaping for the marker_name and file_color_list shortcode attributes. Refer to the Wordfence Vulnerability Report for the fixed version reference.

Workarounds

• Disable or uninstall the OSM – OpenStreetMap plugin until the patched version is applied
• Restrict Contributor-level account creation and require administrator approval for new low-privilege accounts
• Deploy a WAF rule that blocks HTTP requests containing the [osm_map_v3] shortcode with script tags or event handler attributes in shortcode parameters
• Apply a Content Security Policy (CSP) that disallows inline script execution on the WordPress front end

# Update the plugin via WP-CLI once a fixed version is published
wp plugin update osm

# Verify installed version
wp plugin get osm --field=version

# Search for posts containing the affected shortcode for manual review
wp post list --post_status=publish,draft --s='[osm_map_v3]' --format=table