CVE-2024-3603 in OpenStreetMap Plugin
Summary
by MITRE • 07/09/2024
The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2025
The vulnerability identified as CVE-2024-3603 affects the OSM – OpenStreetMap plugin for WordPress, a widely used mapping solution that integrates OpenStreetMap data into WordPress websites. This plugin allows users to embed interactive maps through shortcodes, making it a popular choice for content creators and website administrators who need to display geographical information. The vulnerability exists in all versions up to and including 6.0.2, representing a significant security risk for WordPress installations that utilize this mapping functionality. The flaw specifically targets the plugin's 'osm_map' shortcode implementation, which processes user-supplied attributes to customize map displays and functionality.
The technical root cause of this vulnerability lies in inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing logic. When users provide attributes such as 'theme' to the 'osm_map' shortcode, the plugin fails to properly validate or sanitize these inputs before incorporating them into the generated HTML output. This insufficient sanitization creates an environment where malicious code can be injected and stored within the WordPress database. The vulnerability is classified as a stored cross-site scripting flaw because the malicious scripts are persisted in the database and executed whenever affected pages are accessed by other users, rather than requiring immediate interaction with a vulnerable page.
Authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts that will execute in the context of other users' browsers. This access level is particularly concerning because contributors typically have the ability to create and edit posts and pages, making it relatively easy for malicious users to establish a persistent backdoor within the WordPress installation. The operational impact extends beyond simple script execution, as these stored scripts can be used to steal user session cookies, redirect visitors to malicious websites, or perform other malicious activities that compromise the security of the entire WordPress site and its visitors. The vulnerability affects all users who access pages containing the compromised shortcode, potentially exposing thousands of visitors to these malicious scripts.
The security implications of CVE-2024-3603 align with CWE-79, which describes Cross-Site Scripting vulnerabilities that occur when untrusted data is improperly incorporated into web pages without proper validation or escaping. This vulnerability also maps to ATT&CK technique T1566.001, which covers social engineering through spearphishing, as attackers could potentially use this vulnerability to deliver malicious payloads to unsuspecting users. Organizations should immediately update to the latest version of the OSM plugin where this vulnerability has been patched, as the stored nature of the XSS makes it particularly dangerous for long-term persistence. Additionally, administrators should implement proper input validation measures, conduct regular security audits of installed plugins, and monitor for suspicious activity in user accounts with contributor privileges. The vulnerability serves as a reminder of the critical importance of proper input sanitization and output escaping in web applications, particularly those that process user-generated content.