VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 8 known issues Latest disclosed Apr 08, 2026

OSM – OpenStreetMap Vulnerabilities

Review known vulnerability records for the WordPress plugin OSM – OpenStreetMap (`osm`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4429, CVE-2025-31557 and CVE-2024-52355, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
8
High or Critical
2
Patch Coverage
100%
Last Updated
Apr 09, 2026
Priority CVE Quick Links

Fast paths into OSM – OpenStreetMap CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
8
CVE-2024-3604 Critical 6.0.4
CVE-2024-3604 OSM – OpenStreetMap SQL Injection

OSM – OpenStreetMap <= 6.0.3 - Authenticated (Contributor+) SQL Injection

CVE-2022-30544 High 6.0.1
CVE-2022-30544 OSM – OpenStreetMap Cross-Site Request Forgery

OSM - OpenStreetMap <= 6.0 - Cross-Site Request Forgery

CVE-2026-4429 Medium 6.1.16
CVE-2026-4429 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute

CVE-2025-31557 Medium 6.1.14
CVE-2025-31557 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM – OpenStreetMap <= 6.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-52355 Medium 6.1.3
CVE-2024-52355 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM – OpenStreetMap <= 6.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-8991 Medium 6.1.1
CVE-2024-8991 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes

CVE-2024-3603 Medium 6.0.4
CVE-2024-3603 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM – OpenStreetMap <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE-2022-4676 Medium 6.0.6
CVE-2022-4676 OSM – OpenStreetMap Stored Cross-Site Scripting

OSM - OpenStreetMap <= 6.0.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via 'osm_map' Shortcode

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for OSM – OpenStreetMap so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
8 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 1 high severity finding.
Recent CVEs
CVE-2026-4429, CVE-2025-31557 and CVE-2024-52355
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for OSM – OpenStreetMap

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-4429
CVE-2026-4429: OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and o...

Published
Apr 08, 2026
Patched Release
6.1.16
Affected Versions
Versions up to 6.1.15
Next Step
Update to 6.1.16 or newer if supported.
Open CVE-2026-4429 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-31557
CVE-2025-31557: OSM – OpenStreetMap <= 6.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and abo...

Published
Mar 31, 2025
Patched Release
6.1.14
Affected Versions
Versions up to 6.1.13
Next Step
Update to 6.1.14 or newer if supported.
Open CVE-2025-31557 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-52355
CVE-2024-52355: OSM – OpenStreetMap <= 6.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and abov...

Published
Nov 08, 2024
Patched Release
6.1.3
Affected Versions
Versions up to 6.1.2
Next Step
Update to 6.1.3 or newer if supported.
Open CVE-2024-52355 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8991
CVE-2024-8991: OSM <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's osm_map and osm_map_v3 shortcodes in all versions up to, and including, 6.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This ma...

Published
Sep 26, 2024
Patched Release
6.1.1
Affected Versions
Versions up to 6.1.0
Next Step
Update to 6.1.1 or newer if supported.
Open CVE-2024-8991 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-3604
CVE-2024-3604: OSM – OpenStreetMap <= 6.0.3 - Authenticated (Contributor+) SQL Injection

The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

Published
Jul 08, 2024
Patched Release
6.0.4
Affected Versions
Versions up to 6.0.3
Next Step
Update to 6.0.4 or newer if supported.
Open CVE-2024-3604 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3603
CVE-2024-3603: OSM – OpenStreetMap <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This...

Published
Jul 08, 2024
Patched Release
6.0.4
Affected Versions
Versions up to 6.0.3
Next Step
Update to 6.0.4 or newer if supported.
Open CVE-2024-3603 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-4676
CVE-2022-4676: OSM - OpenStreetMap <= 6.0.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via 'osm_map' Shortcode

The OSM - OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in versions up to, and including, 6.0.5 due to insufficient input sanitization and output escaping on user supplied attributes like 'map_border'. This ma...

Published
May 03, 2023
Patched Release
6.0.6
Affected Versions
Versions up to 6.0.5
Next Step
Update to 6.0.6 or newer if supported.
Open CVE-2022-4676 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-30544
CVE-2022-30544: OSM - OpenStreetMap <= 6.0 - Cross-Site Request Forgery

The OSM - OpenStreetMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this functi...

Published
Sep 30, 2022
Patched Release
6.0.1
Affected Versions
Versions up to 6.0
Next Step
Update to 6.0.1 or newer if supported.
Open CVE-2022-30544 Report Open CVE Reference