OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color

OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color_list
CVE-2026-4429 Published on April 9, 2026

OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute
The OSM OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Timeline

2026-03-22

Vendor Notified

2026-04-08

Disclosed 17 days later.

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-4429 has been classified to as a XSS vulnerability or weakness.

Affected Versions

Before and including 6.1.15 is affected.

OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color_listCVE-2026-4429 Published on April 9, 2026

Timeline

Weakness Type

What is a XSS Vulnerability?

Affected Versions

OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color_list
CVE-2026-4429 Published on April 9, 2026