CVE-2026-33559 identifies a cross-site scripting (XSS) vulnerability in the MiKa OpenStreetMap plugin for WordPress, affecting versions prior to 6.1.15. The vulnerability arises because the plugin insufficiently sanitizes user input when a logged-in user with page creation or editing privileges submits content via crafted HTTP requests. This allows the injection of malicious JavaScript code into pages managed by the plugin. When other users access these compromised pages, the injected script executes within their browsers under the context of the vulnerable website, potentially allowing attackers to steal session cookies, perform actions on behalf of the victim, or manipulate page content. The attack requires the attacker to have authenticated access with certain privileges, and the victim must visit the infected page, indicating that user interaction is necessary. The vulnerability has a CVSS 3.0 base score of 5.4, with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning it is remotely exploitable over the network with low attack complexity, requires privileges and user interaction, and impacts confidentiality and integrity with no effect on availability. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The plugin is used to embed OpenStreetMap maps into WordPress sites, making it attractive for websites relying on geospatial data presentation. The vulnerability’s scope is limited to sites using the affected plugin versions and users with editing privileges.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with editing privileges can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. While availability is not affected, the breach of trust and data confidentiality can lead to reputational damage, loss of user trust, and potential regulatory consequences for organizations handling sensitive user data. Since exploitation requires authenticated access with page editing rights, the risk is somewhat mitigated but remains significant in environments with multiple trusted users or weak access controls. Organizations using the MiKa OpenStreetMap plugin on public-facing websites, especially those with collaborative content management, face increased risk. The vulnerability could also be leveraged as a foothold for further attacks within the network or to spread malware through trusted websites.

Organizations should immediately update the MiKa OpenStreetMap WordPress plugin to version 6.1.15 or later, where this vulnerability is patched. Until the update is applied, restrict page creation and editing privileges to only trusted users and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly audit user permissions and monitor logs for suspicious activities related to page edits or injections. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the plugin. Educate content editors and administrators about the risks of XSS and safe content handling practices. Finally, conduct periodic vulnerability scans and penetration tests focusing on WordPress plugins to identify and remediate similar issues proactively.