CVE-2024-8991 is a stored cross-site scripting vulnerability classified under CWE-79, found in the photoweblog OSM – OpenStreetMap plugin for WordPress. This vulnerability affects all plugin versions up to and including 6.1.0. The root cause is insufficient sanitization and escaping of user-supplied attributes in the osm_map and osm_map_v3 shortcodes. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is remotely exploitable over the network without user interaction but requires authenticated contributor-level access, limiting the attack surface to some extent. The CVSS v3.1 base score is 6.4, reflecting a medium severity with low attack complexity and no user interaction needed. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects websites using the OSM – OpenStreetMap plugin, which is popular among WordPress sites that integrate OpenStreetMap data for geolocation features.

The impact of CVE-2024-8991 can be significant for organizations relying on the OSM – OpenStreetMap WordPress plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the affected pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware. Since the vulnerability requires authenticated contributor access, the risk is higher in environments where contributor accounts are numerous or poorly managed. For high-traffic websites, the potential for widespread impact is considerable, affecting user trust and potentially leading to data breaches or reputational damage. The vulnerability does not affect system availability directly but compromises confidentiality and integrity of user interactions and data.

To mitigate CVE-2024-8991, organizations should immediately restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Until an official patch is released, administrators can implement input validation and output encoding at the application or web server level to sanitize shortcode attributes. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode parameters can reduce risk. Monitoring logs for unusual contributor activity and injected scripts is also advised. Updating the plugin to a patched version once available is critical. Additionally, educating contributors about secure input practices and limiting the use of shortcodes that accept user input can help prevent exploitation. Regular security assessments and penetration testing focusing on plugin vulnerabilities should be conducted.