CVE-2024-3603 is a stored Cross-Site Scripting (XSS) vulnerability identified in the OSM – OpenStreetMap plugin for WordPress, developed by photoweblog. This vulnerability affects all plugin versions up to and including 6.0.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes such as the 'theme' parameter within the 'osm_map' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize the shortcode. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, indicating medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of patch links suggests a patch may not have been released at the time of reporting, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2024-3603 is the potential execution of malicious scripts within the context of vulnerable WordPress sites using the OSM – OpenStreetMap plugin. This can lead to partial loss of confidentiality, such as theft of session cookies or sensitive user data, and partial loss of integrity, including unauthorized content modification or defacement. Since the vulnerability requires contributor-level authentication, it limits exploitation to insiders or compromised accounts, but the scope remains significant for sites with multiple contributors or less stringent access controls. The attack does not affect availability, so denial-of-service is not a concern here. However, successful exploitation can facilitate further attacks like privilege escalation, phishing, or malware distribution. Organizations relying on this plugin for mapping features on their WordPress sites may face reputational damage, user trust erosion, and potential regulatory consequences if user data is compromised. The vulnerability's network attack vector and low complexity increase the likelihood of exploitation once an attacker gains contributor access.

To mitigate CVE-2024-3603, organizations should first check for and apply any official patches or updates released by the photoweblog plugin maintainers. If no patch is available, immediate steps include restricting contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injection attempts targeting the 'osm_map' shortcode parameters can reduce risk. Site administrators should also sanitize and validate all user inputs rigorously, especially those that influence shortcode attributes. Disabling or removing the OSM – OpenStreetMap plugin temporarily until a patch is available is advisable for high-risk environments. Additionally, monitoring logs for unusual activity related to shortcode usage and conducting regular security assessments of WordPress plugins can help detect exploitation attempts early. Educating contributors about secure content practices and the risks of injecting untrusted code is also beneficial.