[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZarqVhykTYlsMyKxp4mW0uVBZVkqma7YFl1XPueBusA":3,"$fsWWFcpiPz4xW69JfZj9113ImEzp2KlHzd9kfmy2I-kY":648,"$fJ9bsEB5p9UErm-sCS14LgrXjEqPgFI30ZrsJHSoXuq0":651},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"discovery_status":31,"vulnerabilities":32,"developer":180,"crawl_stats":38,"alternatives":185,"analysis":284,"fingerprints":524},"osm","OSM – OpenStreetMap","6.1.17","MiKa","https:\u002F\u002Fprofiles.wordpress.org\u002Fphotoweblog\u002F","\u003Cp>Add a map with marker in less than 100 sec:\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FGDoiXO1SfJ0?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>If you want to get detailed information about the OSM-plugin visit these pages:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Homepage: \u003Ca href=\"https:\u002F\u002Fwp-osm-plugin.hyumika.com\u002F\" title=\"OSM-plugin\" rel=\"nofollow ugc\">WP-OSM-Plugin\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Forum: \u003Ca href=\"https:\u002F\u002Fwp-osm-plugin.hyumika.com\u002Fsurvey\u002F\" title=\"OSM-plugin feedback \u002F feature request EN|DE\" rel=\"nofollow ugc\">EN|DE\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Twitter: \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fwp_osm_plugin\" title=\"@WP_OSM_Plugin\" rel=\"nofollow ugc\">@WP_OSM_Plugin\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Features of the WP-OSM-plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>OpenStreetMap, HOT, OpenSeaMap, OpenTopoMap, BaseMap (AT), Stamen in posts\u002Fpages\u003C\u002Fli>\n\u003Cli>Integration in post \u002F page \u002F widget\u003C\u002Fli>\n\u003Cli>HTML Popup Marker\u003C\u002Fli>\n\u003Cli>GPX and KML (incl. upload in Mediathek)\u003C\u002Fli>\n\u003Cli>Map with geo-tagged posts\u002Fpages as linked marker\u003C\u002Fli>\n\u003Cli>Map with autogenerated track by geo-tagged posts \u002F pages\u003C\u002Fli>\n\u003Cli>html-meta tags for geo-tagged posts\u002Fpages\u003C\u002Fli>\n\u003Cli>uses OpenLayers Library\u003C\u002Fli>\n\u003Cli>SSL connection (https)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Languages – thanks to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>Deutsch\u003C\u002Fli>\n\u003Cli>Japanese [by Sykane]\u003C\u002Fli>\n\u003Cli>French [by Tounoki and Marc]\u003C\u002Fli>\n\u003Cli>Russian [by Вячеслав Стренадко\u002FVyacheslav Strenadko]\u003C\u002Fli>\n\u003Cli>Italian [by Andrea Giacomelli]\u003C\u002Fli>\n\u003Cli>Spanish [by Colegota]\u003C\u002Fli>\n\u003Cli>Romanian [by Sorin Pop]\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Swedish [by Olle Zettergren]\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fopenlayers.org\" rel=\"nofollow ugc\">OpenLayers\u003C\u002Fa>: Open Source JavaScript, released under the 2-clause BSD\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>!! IMPORTANT !!\u003Cbr \u002F>\nThe WordPress Plugin Review Team required us to provide opt-in feature to display attribution since it is part of \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fwordpress-org\u002Fdetailed-plugin-guidelines\u002F#10-plugins-may-not-embed-external-links-or-credits-on-the-public-site-without-explicitly-asking-the-user%e2%80%99s-permission\" rel=\"nofollow ugc\">WordPress Plugin Guidelines\u003C\u002Fa>. So you have to enable the checkbox “Display attribution (credit) in the map.” at the WP OSM Plugin Shortcode generater or add the attribution manually to your map. Otherwise it may violate the map or data license, eg \u003Ca href=\"https:\u002F\u002Fwww.openstreetmap.org\u002Fcopyright\" rel=\"nofollow ugc\">OpenStreetMap\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin enables GPX and KML upload!\u003C\u002Fp>\n\u003Cp>Licenses of the maps:\u003Cbr \u002F>\n* OpenStreetMap: \u003Ca href=\"https:\u002F\u002Fwww.openstreetmap.org\u002Fcopyright\" rel=\"nofollow ugc\">OpenStreetMap License\u003C\u002Fa>\u003Cbr \u002F>\n* OpenTopoMap: \u003Ca href=\"https:\u002F\u002Fopentopomap.org\u002Fabout\" rel=\"nofollow ugc\">OpenTopoMap License\u003C\u002Fa>\u003Cbr \u002F>\n* Stamen Maps: \u003Ca href=\"http:\u002F\u002Fmaps.stamen.com\" rel=\"nofollow ugc\">Stamen License\u003C\u002Fa>\u003Cbr \u002F>\n* BaseMap: \u003Ca href=\"http:\u002F\u002Fbasemap.at\" rel=\"nofollow ugc\">BaseMap License\u003C\u002Fa>\u003Cbr \u002F>\n* Thunderforest (API key): \u003Ca href=\"http:\u002F\u002Fwww.thunderforest.com\u002Fterms\u002F\" rel=\"nofollow ugc\">Thunderforest License\u003C\u002Fa>\u003Cbr \u002F>\n* Others: Depends on the map you are including – check it before including it!\u003C\u002Fp>\n","Customize maps in your post, pages and widgets. GPX, KML and more. The easy way to map!",10000,663165,92,135,"2026-04-11T12:39:00.000Z","6.9.4","3.0","5.3",[20,21,22,23,4],"gpx","kml","openseamap","openstreetmap","https:\u002F\u002Fwp-osm-plugin.hyumika.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.17.zip",86,9,0,"2026-04-08 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[33,61,84,97,110,122,139,150,163],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":40,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":29,"updated_date":45,"references":46,"days_to_patch":48,"patch_diff_files":49,"patch_trac_url":38,"research_status":54,"research_verified":55,"research_rounds_completed":56,"research_plan":57,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":58,"research_started_at":59,"research_completed_at":60,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2026-4429","osm-authenticated-contributor-stored-cross-site-scripting-via-markername-shortcode-attribute","OSM \u003C= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=6.1.15","6.1.16","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-09 02:25:05",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65dffde9-2a50-41fe-bc21-3d0915068887?source=api-prod",1,[50,51,52,53],"osm-icon-class.php","osm.php","osm_map_v3\u002Fosm-sc-osm_map_v3.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-4429 - OSM Stored XSS\n\n## 1. Vulnerability Summary\nThe **OSM – OpenStreetMap** plugin for WordPress (versions \u003C= 6.1.15) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the handling of the `[osm_map_v3]` shortcode, specifically through the `marker_name` and `file_color_list` attributes. Because the plugin fails to sanitize or escape these attributes before rendering them in the page's HTML or JavaScript context, an attacker with at least Contributor-level permissions can inject malicious scripts into posts or pages.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** WordPress Post\u002FPage Editor (standard `wp-admin\u002Fpost.php` or Gutenberg block editor).\n* **Shortcode:** `[osm_map_v3]`\n* **Vulnerable Attributes:** `marker_name`, `file_color_list`.\n* **Authentication Level:** Contributor or higher (any role capable of using shortcodes).\n* **Vector:** The payload is stored in the `post_content` table and executes whenever the post\u002Fpage is viewed.\n\n## 3. Code Flow\n1. **Entry Point:** When a post containing `[osm_map_v3]` is rendered, WordPress calls the shortcode handler.\n2. **Registration:** The shortcode is handled in `osm_map_v3\u002Fosm-sc-osm_map_v3.php`.\n3. **Attribute Extraction:** \n * Line 47: `extract(shortcode_atts(array(... 'file_color_list' => 'NoColor', ... 'marker_name' => 'NoName', ...), $atts));`\n * The variables `$marker_name` and `$file_color_list` now hold raw user-provided values.\n4. **Processing:**\n * Line 81: Attributes are passed to the `cOsm_arguments` constructor.\n * Line 160: `$default_icon = new cOsm_icon($marker_name);` is called if `marker_size` is not set.\n5. **Sink:** The variables are subsequently used to build the HTML and JavaScript that initializes the OpenLayers map. In version 6.1.15, these are reflected into the page without calling escaping functions like `esc_attr()` or `esc_js()`.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** vulnerability via a shortcode. It does **not** require a plugin-specific AJAX nonce to exploit. The attacker only needs to be able to save a post.\n* The \"exploit\" happens during the rendering phase. \n* To *set up* the exploit, use the `wp-cli` to create a post as a Contributor.\n* To *trigger* the exploit, navigate to the post URL.\n\n## 5. Exploitation Strategy\n### Step 1: Payload Selection\nWe will test two attributes: `marker_name` and `file_color_list`.\n* **Payload A (Attribute breakout):** `\">\u003Cscript>alert('XSS_MARKER')\u003C\u002Fscript>`\n* **Payload B (JS context breakout):** `';alert('XSS_COLOR');\u002F\u002F`\n\n### Step 2: Test Data Setup (via WP-CLI)\nCreate a post as a contributor user containing the malicious shortcode.\n\n```bash\n# 1. Ensure a contributor user exists\nwp user create contributor contributor@example.com --role=contributor --user_pass=password123\n\n# 2. Create a post with the malicious shortcode\nwp post create --post_type=post \\\n --post_title=\"OSM Map Test\" \\\n --post_status=publish \\\n --post_author=$(wp user get contributor --field=ID) \\\n --post_content='[osm_map_v3 marker_name=\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" file_color_list=\"\\\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\"]'\n```\n\n### Step 3: Trigger the Exploit\nNavigate to the newly created post in the browser context.\n\n```javascript\n\u002F\u002F PoC Agent: Use browser_navigate to the URL of the created post.\n\u002F\u002F The post ID can be captured from the 'wp post create' output.\n```\n\n## 6. Test Data Setup\n* **Plugin Status:** OSM v6.1.15 installed and activated.\n* **User Role:** A user with `edit_posts` capability (Contributor+).\n* **Content:** A post containing the `[osm_map_v3]` shortcode with payloads in `marker_name` and\u002For `file_color_list`.\n\n## 7. Expected Results\n* When the post is viewed, the HTML source should contain the unescaped script tags.\n* The browser should trigger the `alert()` functions.\n* Inspection of the DOM should show the script injected either into a `data-*` attribute of a `div` (breaking out with `\">`) or within a `\u003Cscript>` block.\n\n## 8. Verification Steps\n1. **DOM Inspection:** Use `browser_eval` to check for the presence of the injected payload in the rendered page.\n ```javascript\n \u002F\u002F Check if the script was rendered\n const scripts = Array.from(document.getElementsByTagName('script'));\n const xssFound = scripts.some(s => s.textContent.includes('alert(document.domain)'));\n return xssFound;\n ```\n2. **HTML Source Check:** Use `http_request` to fetch the post HTML and grep for the raw payload to confirm lack of encoding.\n ```bash\n # Expected: The response body contains the raw string:\n # marker_name=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n ```\n\n## 9. Alternative Approaches\nIf the plugin renders these attributes inside a JSON object passed to `wp_localize_script`, the breakout payload might need to be adjusted:\n* **JS Object Payload:** `\"},alert(1),{\"a\":\"`\n* **Broken Attribute Payload:** `marker_name=\"123' onclick='alert(1)'\"`\n\nIf `marker_name` is passed to the `cOsm_icon` class (as seen in line 160 of `osm-sc-osm_map_v3.php`), the vulnerability may manifest when the icon URL is generated in `osm-icon-class.php`. If the icon name is appended to a URL string without sanitization, an XSS via the `src` attribute of an `\u003Cimg>` tag is possible:\n* **Payload:** `x\" onerror=\"alert(1)\"`","gemini-3-flash-preview","2026-04-17 20:15:29","2026-04-17 20:15:49",{"id":62,"url_slug":63,"title":64,"description":65,"plugin_slug":4,"theme_slug":38,"affected_versions":66,"patched_in_version":67,"severity":41,"cvss_score":68,"cvss_vector":69,"vuln_type":70,"published_date":71,"updated_date":72,"references":73,"days_to_patch":75,"patch_diff_files":76,"patch_trac_url":38,"research_status":54,"research_verified":55,"research_rounds_completed":56,"research_plan":77,"research_summary":78,"research_vulnerable_code":79,"research_fix_diff":80,"research_exploit_outline":81,"research_model_used":58,"research_started_at":82,"research_completed_at":83,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2026-25323","osm-openstreetmap-missing-authorization","OSM – OpenStreetMap \u003C= 6.1.12 - Missing Authorization","The OSM – OpenStreetMap plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.1.12. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","\u003C=6.1.12","6.1.13",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-05-04 15:40:16",[74],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd3af34f4-72c5-43a4-9ca1-0729455298c5?source=api-prod",96,[51,53],"# Exploitation Research Plan - CVE-2026-25323 (OSM - OpenStreetMap)\n\n## 1. Vulnerability Summary\nThe **OSM – OpenStreetMap** plugin for WordPress (up to 6.1.12) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `saveGeotagAndPic` (and potentially associated registration hooks) verifies a nonce but fails to perform a capability check (e.g., `current_user_can( 'edit_post', $post_id )`). This allows authenticated users with Contributor-level privileges to modify geographical metadata (geotags) for any post or page on the site, regardless of ownership or status.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `osm_save_geotag` (inferred from function name `saveGeotagAndPic` and plugin naming conventions)\n- **Parameters**: \n - `action`: `osm_save_geotag` (inferred)\n - `lat`: Latitude (e.g., `51.5074`)\n - `lon`: Longitude (e.g., `-0.1278`)\n - `icon`: Icon filename (e.g., `marker_blue.png`)\n - `post_id`: The ID of the target post to modify.\n - `geotag_nonce`: The CSRF token for the action.\n- **Authentication**: Authenticated (Contributor level or higher).\n- **Preconditions**: The attacker must be logged in as a Contributor and obtain a valid nonce for the `osm_geotag_nonce` action.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin likely registers the AJAX action in the `init` or `admin_init` hook (not visible in snippet but required for AJAX).\n - Hook: `add_action( 'wp_ajax_osm_save_geotag', 'saveGeotagAndPic' );`\n2. **Execution**: The `saveGeotagAndPic` function in `osm.php` is called.\n3. **Nonce Verification**: The function checks `wp_verify_nonce( $_POST['geotag_nonce'], 'osm_geotag_nonce' )`.\n4. **Processing**: It sanitizes input using `sanitize_text_field` and `wp_unslash`.\n5. **Vulnerable Sink**: The function (based on its purpose) calls `update_post_meta` or a similar database update function using the provided `$post_id` without verifying if the current user has permission to edit that specific post.\n - *Note*: A Contributor can only edit their own posts. By providing an Admin's `post_id`, the Contributor performs an unauthorized modification.\n\n## 4. Nonce Acquisition Strategy\nThe nonce `osm_geotag_nonce` is typically generated for the post editor meta box.\n1. **Identify Script Localization**: Look for `wp_localize_script` in the full plugin source that includes `osm_geotag_nonce`.\n2. **Access Editor**: Log in as a Contributor and navigate to the \"Add New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`).\n3. **Extract Nonce**:\n - Use `browser_eval` to extract the nonce from the global JavaScript object where the plugin stores its settings.\n - **Likely Variable**: `window.OSM_Data?.geotag_nonce` or similar (based on `osm_geotag_nonce` action).\n - **Manual Check**: Inspect the page source for `osm_geotag_nonce`.\n\n## 5. Exploitation Strategy\n1. **Prerequisite**: Create a \"Protected Post\" as an Admin (e.g., Post ID 123).\n2. **Authentication**: Authenticate as a Contributor user.\n3. **Nonce Extraction**: \n - Navigate to `\u002Fwp-admin\u002Fpost-new.php` as the Contributor.\n - Extract the `geotag_nonce` from the page source or JS context.\n4. **Forge Request**: Use the `http_request` tool to send an AJAX POST request to modify the Admin's post.\n - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n - **Method**: POST\n - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n - **Body**: \n ```\n action=osm_save_geotag&lat=99.99&lon=99.99&icon=malicious.png&post_id=123&geotag_nonce=[EXTRACTED_NONCE]\n ```\n5. **Verify Success**: Check if the response contains \"Location (geotag) saved successfully\".\n\n## 6. Test Data Setup\n1. **Admin User**: Created by default.\n2. **Admin Post**: Create a published post.\n - `wp post create --post_title=\"Admin Secret Post\" --post_status=publish --post_author=1`\n - Capture the returned **Post ID**.\n3. **Contributor User**: Create a user with the contributor role.\n - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` status.\n- The response body should include the string: `Location (geotag) saved successfully`.\n- The metadata for the Admin's post (ID 123) should be updated with the malicious latitude and longitude.\n\n## 8. Verification Steps\nAfter performing the exploit, verify the database state using WP-CLI:\n1. **Check Post Meta**:\n - `wp post meta list [ADMIN_POST_ID]`\n2. **Look for Keys**:\n - Check for meta keys like `osm_geo_data` or `osm_lat_lon` (the exact key names depend on the truncated part of `saveGeotagAndPic`).\n - If the latitude `99.99` is found in the metadata of the Admin's post, the exploit is successful.\n\n## 9. Alternative Approaches\nIf `osm_save_geotag` is not the correct action name:\n1. Search the plugin folder for all `add_action( 'wp_ajax_` registrations:\n - `grep -r \"wp_ajax_\" .`\n2. Search for where `osm_geotag_nonce` is localized to find the associated JS logic and action name:\n - `grep -r \"osm_geotag_nonce\" .`\n3. If the Contributor cannot access the nonce on `post-new.php`, check if the OSM widget or shortcode generator on the frontend exposes it.","The OSM – OpenStreetMap plugin for WordPress is vulnerable to unauthorized modification of post metadata due to missing capability checks in its AJAX handlers. Authenticated attackers with Contributor-level access or higher can exploit this to change geographical tags (geotags) and map markers for any post or page, including those they do not own.","\u002F\u002F File: osm.php, around line 170\nfunction saveGeotagAndPic() {\n if ( isset( $_POST['lat'], $_POST['lon'], $_POST['icon'], $_POST['post_id'], $_POST['geotag_nonce'] ) ) {\n $latlon = sanitize_text_field( wp_unslash( $_POST['lat'] ) ) . ',' . sanitize_text_field( wp_unslash( $_POST['lon'] ) );\n $icon = sanitize_text_field( wp_unslash( $_POST['icon'] ) );\n $post_id = sanitize_text_field( wp_unslash( $_POST['post_id'] ) );\n $nonce = sanitize_text_field( wp_unslash( $_POST['geotag_nonce'] ) );\n\n if ( ! wp_verify_nonce( $nonce, 'osm_geotag_nonce' ) ) {\n echo \"Error: Bad ajax request\";\n } else {\n \u002F\u002F ... execution continues to update_post_meta using $post_id without current_user_can check\n\n---\n\n\u002F\u002F File: osm.php, around line 215\nfunction savePostMarker() {\n if ( isset( $_POST['MarkerId'], $_POST['MarkerLat'], $_POST['MarkerLon'], $_POST['MarkerIcon'], $_POST['MarkerName'], $_POST['post_id'], $_POST['marker_nonce'], $_POST['MarkerText'] ) ) {\n\n $MarkerId = sanitize_text_field( wp_unslash( $_POST['MarkerId'] ) );\n $MarkerLatLon = sanitize_text_field( wp_unslash( $_POST['MarkerLat'] ) ) . ',' . sanitize_text_field( wp_unslash( $_POST['MarkerLon'] ) );\n $MarkerIcon = sanitize_text_field( wp_unslash( $_POST['MarkerIcon'] ) );\n $MarkerName = sanitize_text_field( wp_unslash( $_POST['MarkerName'] ) );\n $post_id = sanitize_text_field( wp_unslash( $_POST['post_id'] ) );\n $nonce = sanitize_text_field( wp_unslash( $_POST['marker_nonce'] ) );\n \n \u002F\u002F ... \n\n \u002F\u002F Nonce check only, no capability check\n if ( ! wp_verify_nonce( $nonce, 'osm_marker_nonce' ) ) {\n echo \"Error: Bad ajax request\";\n } else {\n \u002F\u002F ... execution continues to update_post_meta using $post_id\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fosm\u002F6.1.12\u002Fosm.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fosm\u002F6.1.13\u002Fosm.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fosm\u002F6.1.12\u002Fosm.php\t2026-01-25 15:47:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fosm\u002F6.1.13\u002Fosm.php\t2026-01-25 18:49:30.000000000 +0000\n@@ -169,9 +169,17 @@\n \n function saveGeotagAndPic() {\n if ( isset( $_POST['lat'], $_POST['lon'], $_POST['icon'], $_POST['post_id'], $_POST['geotag_nonce'] ) ) {\n+\n+ $post_id = absint( wp_unslash( $_POST['post_id'] ) );\n+\n+ \u002F\u002F SECURITY-FIX: Berechtigungsprüfung\n+ if ( ! $post_id || ! current_user_can( 'edit_post', $post_id ) ) {\n+ echo \"Error: Unauthorized access.\";\n+ wp_die();\n+ }\n+\n $latlon = sanitize_text_field( wp_unslash( $_POST['lat'] ) ) . ',' . sanitize_text_field( wp_unslash( $_POST['lon'] ) );\n $icon = sanitize_text_field( wp_unslash( $_POST['icon'] ) );\n- $post_id = sanitize_text_field( wp_unslash( $_POST['post_id'] ) );\n $nonce = sanitize_text_field( wp_unslash( $_POST['geotag_nonce'] ) );\n \n if ( ! wp_verify_nonce( $nonce, 'osm_geotag_nonce' ) ) {\n@@ -215,37 +222,49 @@\n function savePostMarker() {\n if ( isset( $_POST['MarkerId'], $_POST['MarkerLat'], $_POST['MarkerLon'], $_POST['MarkerIcon'], $_POST['MarkerName'], $_POST['post_id'], $_POST['marker_nonce'], $_POST['MarkerText'] ) ) {\n \n- $MarkerId = sanitize_text_field( wp_unslash( $_POST['MarkerId'] ) );\n- $MarkerLatLon = sanitize_text_field( wp_unslash( $_POST['MarkerLat'] ) ) . ',' . sanitize_text_field( wp_unslash( $_POST['MarkerLon'] ) );\n- $MarkerIcon = sanitize_text_field( wp_unslash( $_POST['MarkerIcon'] ) );\n- $MarkerName = sanitize_text_field( wp_unslash( $_POST['MarkerName'] ) );\n- $post_id = sanitize_text_field( wp_unslash( $_POST['post_id'] ) );\n- $nonce = sanitize_text_field( wp_unslash( $_POST['marker_nonce'] ) );\n- \n- $allowed_html = array( \n+ \u002F\u002F post_id korrekt behandeln\n+ $post_id = absint( wp_unslash( $_POST['post_id'] ) );\n+\n+ \u002F\u002F SECURITY-FIX: Berechtigungsprüfung\n+ if ( ! $post_id || ! current_user_can( 'edit_post', $post_id ) ) {\n+ echo \"Error: Unauthorized access.\";\n+ wp_die();\n+ }\n+\n+ \u002F\u002F restliche Felder wie gehabt\n+ $MarkerId = absint( wp_unslash( $_POST['MarkerId'] ) );\n+ $MarkerLatLon = sanitize_text_field( wp_unslash( $_POST['MarkerLat'] ) ) . ',' .\n+ sanitize_text_field( wp_unslash( $_POST['MarkerLon'] ) );\n+ $MarkerIcon = sanitize_file_name( wp_unslash( $_POST['MarkerIcon'] ) );\n+ $MarkerName = sanitize_text_field( wp_unslash( $_POST['MarkerName'] ) );\n+ $nonce = sanitize_text_field( wp_unslash( $_POST['marker_nonce'] ) );","To exploit this vulnerability, an attacker must have Contributor-level access to the WordPress dashboard. 1. Access the post editor (e.g., \u002Fwp-admin\u002Fpost-new.php) to extract the localized AJAX nonces 'osm_geotag_nonce' or 'osm_marker_nonce'. 2. Identify a target post ID that the attacker does not have permission to edit (e.g., a published post by an administrator). 3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php using the action 'osm_save_geotag' or 'osm_save_post_marker'. 4. Include the extracted nonce, the target post_id, and the desired latitude\u002Flongitude\u002Ficon metadata in the request body. Because the plugin only verifies the nonce and not the user's permission to edit the specific post_id, the metadata for the target post will be updated.","2026-05-04 21:11:41","2026-05-04 21:12:02",{"id":85,"url_slug":86,"title":87,"description":88,"plugin_slug":4,"theme_slug":38,"affected_versions":89,"patched_in_version":90,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":91,"updated_date":92,"references":93,"days_to_patch":95,"patch_diff_files":96,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2025-31557","osm-openstreetmap-authenticated-contributor-stored-cross-site-scripting-2","OSM – OpenStreetMap \u003C= 6.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=6.1.13","6.1.14","2025-03-31 00:00:00","2026-02-03 19:57:32",[94],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe0f787cd-af81-4ba4-8ee1-5e01f06a00b0?source=api-prod",310,[],{"id":98,"url_slug":99,"title":100,"description":101,"plugin_slug":4,"theme_slug":38,"affected_versions":102,"patched_in_version":103,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":104,"updated_date":105,"references":106,"days_to_patch":108,"patch_diff_files":109,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2024-52355","osm-openstreetmap-authenticated-contributor-stored-cross-site-scripting","OSM – OpenStreetMap \u003C= 6.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=6.1.2","6.1.3","2024-11-08 00:00:00","2024-11-14 13:50:13",[107],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5648fc33-3284-4f71-bc2b-6e72237b2ca1?source=api-prod",7,[],{"id":111,"url_slug":112,"title":113,"description":114,"plugin_slug":4,"theme_slug":38,"affected_versions":115,"patched_in_version":116,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":117,"updated_date":118,"references":119,"days_to_patch":48,"patch_diff_files":121,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2024-8991","osm-authenticated-contributor-stored-cross-site-scripting-via-osmmap-and-osmmapv3-shortcodes","OSM \u003C= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's osm_map and osm_map_v3 shortcodes in all versions up to, and including, 6.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=6.1.0","6.1.1","2024-09-26 18:40:16","2024-09-27 06:53:59",[120],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F839ecd06-9c74-4ddc-b455-26ec3e627889?source=api-prod",[],{"id":123,"url_slug":124,"title":125,"description":126,"plugin_slug":4,"theme_slug":38,"affected_versions":127,"patched_in_version":128,"severity":129,"cvss_score":130,"cvss_vector":131,"vuln_type":132,"published_date":133,"updated_date":134,"references":135,"days_to_patch":137,"patch_diff_files":138,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2024-3604","osm-openstreetmap-authenticated-contributor-sql-injection","OSM – OpenStreetMap \u003C= 6.0.3 - Authenticated (Contributor+) SQL Injection","The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","\u003C=6.0.3","6.0.4","critical",9.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2024-07-08 20:10:52","2024-09-27 14:16:54",[136],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc8eebc67-e590-4d7f-8925-e5e5090cedf0?source=api-prod",81,[],{"id":140,"url_slug":141,"title":142,"description":143,"plugin_slug":4,"theme_slug":38,"affected_versions":127,"patched_in_version":128,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":144,"updated_date":145,"references":146,"days_to_patch":148,"patch_diff_files":149,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2024-3603","osm-openstreetmap-authenticated-contributor-stored-cross-site-scripting-via-shortcode","OSM – OpenStreetMap \u003C= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","2024-07-08 20:10:10","2024-09-24 18:06:14",[147],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F845cea77-ea74-4459-817b-cfbdb877b75a?source=api-prod",78,[],{"id":151,"url_slug":152,"title":153,"description":154,"plugin_slug":4,"theme_slug":38,"affected_versions":155,"patched_in_version":156,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":157,"updated_date":158,"references":159,"days_to_patch":161,"patch_diff_files":162,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2022-4676","osm-openstreetmap-authenticatedcontributor-stored-cross-site-scripting-via-osmmap-shortcode","OSM - OpenStreetMap \u003C= 6.0.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via 'osm_map' Shortcode","The OSM - OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in versions up to, and including, 6.0.5 due to insufficient input sanitization and output escaping on user supplied attributes like 'map_border'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=6.0.5","6.0.6","2023-05-03 00:00:00","2024-09-24 17:38:41",[160],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6dac6353-9e70-482d-b54b-ffde661b212c?source=api-prod",511,[],{"id":164,"url_slug":165,"title":166,"description":167,"plugin_slug":4,"theme_slug":38,"affected_versions":168,"patched_in_version":169,"severity":170,"cvss_score":171,"cvss_vector":172,"vuln_type":173,"published_date":174,"updated_date":175,"references":176,"days_to_patch":178,"patch_diff_files":179,"patch_trac_url":38,"research_status":38,"research_verified":55,"research_rounds_completed":28,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":55,"poc_model_used":38,"poc_verification_depth":38},"CVE-2022-30544","osm-openstreetmap-cross-site-request-forgery","OSM - OpenStreetMap \u003C= 6.0 - Cross-Site Request Forgery","The OSM - OpenStreetMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C=6.0","6.0.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2022-09-30 00:00:00","2024-01-22 19:56:02",[177],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F123c2958-3335-4212-8ed0-b2a56a5272f3?source=api-prod",480,[],{"slug":181,"display_name":7,"profile_url":8,"plugin_count":48,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":182,"trust_score":183,"computed_at":184},"photoweblog",174,69,"2026-05-19T20:02:21.780Z",[186,207,228,249,266],{"slug":187,"name":188,"version":189,"author":190,"author_profile":191,"description":192,"short_description":193,"active_installs":194,"downloaded":195,"rating":148,"num_ratings":196,"last_updated":197,"tested_up_to":16,"requires_at_least":198,"requires_php":199,"tags":200,"homepage":199,"download_link":204,"security_score":205,"vuln_count":48,"unpatched_count":28,"last_vuln_date":206,"fetched_at":30},"wp-open-street-map","WP Open Street Map","1.40","manu225","https:\u002F\u002Fprofiles.wordpress.org\u002Fmanu225\u002F","\u003Cp>Create easily maps with OpenStreetMap. \u003Ca href=\"https:\u002F\u002Fwww.info-d-74.com\u002Fen\u002Fwp-openstreetmap-demos-2\u002F\" rel=\"nofollow ugc\">Here some examples\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>A Pro version with more options is available: \u003Ca href=\"https:\u002F\u002Fwww.info-d-74.com\u002Fen\u002Fproduit\u002Fwp-openstreetmap-pro-plugin-wordpress\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.info-d-74.com\u002Fen\u002Fproduit\u002Fwp-openstreetmap-pro-plugin-wordpress\u002F\u003C\u002Fa>\u003C\u002Fp>\n","Create easily maps with OpenStreetMap",3000,42782,10,"2026-03-17T12:21:00.000Z","3.5","",[201,202,203,23,4],"map","open-street-map","openstreet","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-open-street-map.1.40.zip",100,"2023-10-12 00:00:00",{"slug":208,"name":209,"version":210,"author":211,"author_profile":212,"description":213,"short_description":214,"active_installs":215,"downloaded":216,"rating":217,"num_ratings":108,"last_updated":218,"tested_up_to":16,"requires_at_least":219,"requires_php":220,"tags":221,"homepage":199,"download_link":224,"security_score":225,"vuln_count":226,"unpatched_count":28,"last_vuln_date":227,"fetched_at":30},"gpx-viewer","GPX Viewer","2.2.16","axelkeller","https:\u002F\u002Fprofiles.wordpress.org\u002Faxelkeller\u002F","\u003Cp>Displays a GPX track as segmented polylines, the way points and the elevation profile.\u003Cbr \u002F>\nOpen Street Map (OSM) is used as background which can be switched between a plane view and a topographic one.\u003Cbr \u002F>\nThe view can be changed to full screen mode. Moving the cursor over the elevation profile the corresponding point is marked on the path interactively.\u003C\u002Fp>\n\u003Cp>GPX tracks uploaded to the server in advance are stored into separate repositories that are ordered according to the categories setup in wordpress.\u003Cbr \u002F>\nThus different collections of tracks can be handled and the tracks choosen from.\u003C\u002Fp>\n\u003Cp>During upload a GPX track can be smoothed and\u002For its elevation data replaced by Open-Elevation Service data.\u003Cbr \u002F>\nThe latter is provided because many elevation data tracked by mobiles are not quite correct.\u003C\u002Fp>\n\u003Cp>GPX trackpoints can be edited on the map interactively.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Admin page \u003Cem>GPX Files\u003C\u002Fem> for uploading tracks\u003Cbr \u002F>\n– Selecting category for repository\u003Cbr \u002F>\n– Replacing the description of the track (tag \u003Ccode>\u003Cname>\u003C\u002Fcode> in the GPX file)\u003Cbr \u002F>\n– Smoothing tracks during upload, thus reducing track points\u003Cbr \u002F>\n– Replacing elevation data of track points using Open-Elevation Service during upload\u003C\u002Fli>\n\u003Cli>Display of a specific, uploaded GPX track\u003Cbr \u002F>\n– PHP-function for inserting the view into a page\u003Cbr \u002F>\n– Selecting full screen mode and scaling the map\u003Cbr \u002F>\n– Switching between plane and topographic view\u003C\u002Fli>\n\u003Cli>Editing trackpoints on the map\u003Cbr \u002F>\n– Adding, moving, deleting track points\u003Cbr \u002F>\n– creating, splitting polylines\u003C\u002Fli>\n\u003Cli>Display of a list of GPX files from which a track can be selected\u003Cbr \u002F>\n– separated list for each category\u003Cbr \u002F>\n– Setting width and color of the path\u003Cbr \u002F>\n– Shortcode for inserting the list into a page\u003C\u002Fli>\n\u003Cli>Elevation profile\u003Cbr \u002F>\n– Interactive path marker\u003Cbr \u002F>\n– Name of the track\u003Cbr \u002F>\n– Distance of the track\u003Cbr \u002F>\n– Maximum\u002Fminimum elevation\u003Cbr \u002F>\n– Elevation loss\u002Fgain\u003Cbr \u002F>\n– Trail duration\u003C\u002Fli>\n\u003C\u002Ful>\n","Display GPX tracks with their elevation profile on OSM maps, edit them interactively",900,24094,72,"2026-03-16T10:42:00.000Z","4.9","7.2.24",[222,20,201,23,223],"elevation","track","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgpx-viewer.2.2.16.zip",98,2,"2025-02-21 00:00:00",{"slug":229,"name":230,"version":231,"author":232,"author_profile":233,"description":234,"short_description":235,"active_installs":205,"downloaded":236,"rating":205,"num_ratings":237,"last_updated":238,"tested_up_to":239,"requires_at_least":240,"requires_php":241,"tags":242,"homepage":245,"download_link":246,"security_score":247,"vuln_count":226,"unpatched_count":28,"last_vuln_date":248,"fetched_at":30},"shmapper-by-teplitsa","ShMapper by Teplitsa","1.5.1","Denis Cherniatev","https:\u002F\u002Fprofiles.wordpress.org\u002Fdenischerniatev\u002F","\u003Cp>The shMapper plugin allows you to create simple crowdsourcing maps on OpenStreetMap with an option of feedback messages form. This plugin gives you an alternative to current online map services such as Yandex.Maps, Google Maps etc which don’t provide the option for users to add new objects.\u003C\u002Fp>\n\u003Cp>Most of the code written by Gennadiy Glazunov aka \u003Ca href=\"http:\u002F\u002Fgenagl.ru\" rel=\"nofollow ugc\">Genagl\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Core features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Configure and display maps with markers on pages.\u003C\u002Fli>\n\u003Cli>Display maps using shortcodes.\u003C\u002Fli>\n\u003Cli>Receive new map markers via feedback form.\u003C\u002Fli>\n\u003Cli>Pre or post-moderation of new markers.\u003C\u002Fli>\n\u003Cli>reCaptcha form protection.\u003C\u002Fli>\n\u003Cli>Custom markers icons.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PHP at least 5.6 is required for plugin to work correctly.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Help the project\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>We will be very grateful if you will help us to make ShMapper better.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>You can add a bugreport or a feature request on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTeplitsa\u002Fshmapper\u002Fissues\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Send us your pull request to share a code impovement.\u003C\u002Fli>\n\u003Cli>You can make a new plugin translation for your language or send us a fixes for an existing translation, if needed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you have a questions for the plugin work in any aspect, please address our support service on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTeplitsa\u002Fshmapper\u002Fissues\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>.\u003C\u002Fp>\n","shMapper is a plugin, that allows you to create simple crowdsourcing maps based on OpenStreetMap and Yandex.Maps.",7504,5,"2025-01-14T10:19:00.000Z","6.7.5","5.0","7.4",[243,201,23,4,244],"crowdsourcing","yandex-map","http:\u002F\u002Fgenagl.ru\u002F?p=652","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshmapper-by-teplitsa.zip",91,"2025-01-24 00:00:00",{"slug":250,"name":251,"version":252,"author":253,"author_profile":254,"description":255,"short_description":256,"active_installs":257,"downloaded":258,"rating":28,"num_ratings":28,"last_updated":259,"tested_up_to":260,"requires_at_least":199,"requires_php":199,"tags":261,"homepage":263,"download_link":264,"security_score":265,"vuln_count":28,"unpatched_count":28,"last_vuln_date":38,"fetched_at":30},"acf-openstreetmap-field-block","ACF OpenStreetMap Field into a Block","1.0","julianoe","https:\u002F\u002Fprofiles.wordpress.org\u002Fjulianoe\u002F","\u003Cp>Very simple plugin to add Acf Block support for the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Facf-openstreetmap-field\u002F\" rel=\"ugc\">ACF OpenStreetMap Field\u003C\u002Fa> from Jörn Lund.\u003Cbr \u002F>\nThis plugin obviously will only work if you install Advanced Custom Field and ACF OpenStreetMap Field.\u003C\u002Fp>\n\u003Cp>The plugin will create an ACF group field with one OpenStreetMap field configured with default parameters.\u003Cbr \u002F>\nYou can always override this ACF Group field by creating your own group field titled “ACF OSM BLOCK” and defining its location to be the “ACF OpenStreetMap Block”.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Plugin working with \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fpodpirate\u002F\" rel=\"nofollow ugc\">podpirate\u003C\u002Fa> aka Jörn Lund’s plugin\u003Cbr \u002F>\nPhoto by \u003Ca href=\"https:\u002F\u002Fwww.pexels.com\u002F@oidonnyboy\" rel=\"nofollow ugc\">Nick Wehrli\u003C\u002Fa> from pexels.\u003Cbr \u002F>\nIcon “location” by the WordPress Dashicons.\u003C\u002Fp>\n","Very simple plugin that adds an OpenStreetMap ACF block to the WordPress block editor.",20,1267,"2021-05-07T22:59:00.000Z","5.7.15",[262,23,4],"acf","https:\u002F\u002Fframagit.org\u002Fjulianoe\u002Facf-openstreetmap-field-block","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-openstreetmap-field-block.zip",85,{"slug":267,"name":268,"version":269,"author":270,"author_profile":271,"description":272,"short_description":273,"active_installs":257,"downloaded":274,"rating":205,"num_ratings":56,"last_updated":275,"tested_up_to":16,"requires_at_least":276,"requires_php":277,"tags":278,"homepage":282,"download_link":283,"security_score":205,"vuln_count":28,"unpatched_count":28,"last_vuln_date":38,"fetched_at":30},"advanced-osm-for-toolset-maps","Advanced OSM for Toolset Maps","3.0.1","wp-customtypes","https:\u002F\u002Fprofiles.wordpress.org\u002Fumbaumba\u002F","\u003Cp>\u003Cstrong>Supercharge Toolset Maps with professional OpenStreetMap features that go beyond the basic core implementation.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>While Toolset Maps provides a foundation for OSM, this plugin enhances the experience with advanced visualization and data tools, now fully integrated with the WordPress Block Editor.\u003C\u002Fp>\n\u003Ch3>🧱 NEW: Gutenberg Blocks\u003C\u002Fh3>\n\u003Cp>Forget about complex shortcodes. Version 3.0 introduces native blocks:\u003Cbr \u002F>\n* \u003Cstrong>Advanced OSM Map Block:\u003C\u002Fstrong> Configure satellite views, clustering, and tracks visually in the sidebar.\u003Cbr \u002F>\n* \u003Cstrong>Dynamic Track Loader Block:\u003C\u002Fstrong> Easily link Toolset File Fields (KML\u002FGPX) to your maps within Query Loops or Content Templates.\u003C\u002Fp>\n\u003Ch3>🛰️ Satellite View\u003C\u002Fh3>\n\u003Cp>High-resolution Esri satellite imagery not available in native Toolset. Includes an interactive toggle button for front-end users.\u003C\u002Fp>\n\u003Ch3>🔵 Pro Clustering\u003C\u002Fh3>\n\u003Cp>While Toolset offers basic clustering, AOTM gives you more control. Customize the cluster color to match your brand and set precise zoom thresholds for declustering.\u003C\u002Fp>\n\u003Ch3>📍 KML & GPX Support\u003C\u002Fh3>\n\u003Cp>Visualize tracks, routes, or shapes. Load files in three ways:\u003Cbr \u002F>\n1. \u003Cstrong>Media Library:\u003C\u002Fstrong> Select multiple files directly from your WordPress media.\u003Cbr \u002F>\n2. \u003Cstrong>Direct URLs:\u003C\u002Fstrong> Paste manual KML\u002FGPX links.\u003Cbr \u002F>\n3. \u003Cstrong>Dynamic Fields:\u003C\u002Fstrong> Use a Toolset File Field slug to pull tracks from your custom posts.\u003C\u002Fp>\n\u003Ch3>🎨 Custom Styling & Layers\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Grayscale Mode:\u003C\u002Fstrong> Apply “silver” or “muted” styles with precise intensity control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Layer Management:\u003C\u002Fstrong> Toggle roads and labels independently for a cleaner, professional design.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check \u003Ca href=\"https:\u002F\u002Fwp-customtypes.com\u002Fadvanced-osm-for-toolset-maps\u002F\" rel=\"nofollow ugc\">DEMOS\u003C\u002Fa>\u003Cbr \u002F>\nCheck author page \u003Ca href=\"https:\u002F\u002Fwp-customtypes.com\u002F\" rel=\"nofollow ugc\">wp-customtypes.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Feature Comparison\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Satellite View\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ❌ No\u003Cbr \u002F>\nAdvanced OSM ✅ 1-click\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Marker Clustering\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ⚠️ Basic only\u003Cbr \u002F>\nAdvanced OSM ✅ Customizable\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Grayscale Effects\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ❌ No\u003Cbr \u002F>\nAdvanced OSM ✅ 0-100% control\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Layer Toggles\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ❌ All or none\u003Cbr \u002F>\nAdvanced OSM ✅ Roads\u002FLabels separate\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Zoom Control\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ❌ Basic\u003Cbr \u002F>\nAdvanced OSM ✅ Precise levels\u003C\u002Fp>\n\u003Cp>\u003Cstrong>KML\u002FGPX Support\u003C\u002Fstrong>\u003Cbr \u002F>\nToolset Maps ❌ No\u003Cbr \u002F>\nAdvanced OSM ✅ Yes (Shapes & Tracks)\u003C\u002Fp>\n\u003Ch3>Shortcode Examples\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Basic OpenStreetMap\u003C\u002Fstrong>\u003Cbr \u002F>\n[aotm-advanced-osm-map map-id=”map-1″]\u003Cbr \u002F>\n[wpv-map-render map_id=”map-1″][\u002Fwpv-map-render]\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Satellite View with Layers\u003C\u002Fstrong>\u003Cbr \u002F>\n[aotm-advanced-osm-map map-id=”map-2″ satellite=”on” labels=”on” roads=”on”]\u003Cbr \u002F>\n[wpv-map-render map_id=”map-2″][\u002Fwpv-map-render]\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Professional Styling\u003C\u002Fstrong>\u003Cbr \u002F>\n[aotm-advanced-osm-map map-id=”map-3″ grayscale=”0.9″ cluster=”on” cluster-color=”#f05a28″]\u003Cbr \u002F>\n[wpv-map-render map_id=”map-3″][\u002Fwpv-map-render]\u003C\u002Fp>\n\u003Cp>**Dynamic Tracks in a View or Single Post via URL **\u003Cbr \u002F>\nInside any Post or Page:\u003Cbr \u002F>\n[aotm-advanced-osm-map map-id=”map-4″ track-field=”https:\u002F\u002Fmy-domain.com\u002Fwp-content\u002Fuploads\u002Fmy-track.gpx,https:\u002F\u002Fmy-domain.com\u002Fwp-content\u002Fuploads\u002Fmy-shape.kml”]\u003Cbr \u002F>\n[wpv-map-render map_id=”map-4″][\u002Fwpv-map-render]\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Dynamic Tracks in a View or Single Post via Custom field\u003C\u002Fstrong>\u003Cbr \u002F>\nInside your Toolset View loop or Content Template:\u003Cbr \u002F>\n[aotm-advanced-osm-map map-id=”map-5″]\u003Cbr \u002F>\n[wpv-map-render map_id=”map-5″][\u002Fwpv-map-render]\u003C\u002Fp>\n\u003Cp>[aotm-advanced-osm-marker map-id=”map-4″ track-field=”track-file-slug”]\u003C\u002Fp>\n\u003Ch3>Full Shortcode Reference\u003C\u002Fh3>\n\u003Ch4>[aotm-advanced-osm-map]\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>map-id: (Required) Must match your Toolset map ID.\u003C\u002Fli>\n\u003Cli>satellite: “on” – Set satellite as default base layer.\u003C\u002Fli>\n\u003Cli>satellite-button: “off” – Hide Satellite toggle button (default on).\u003C\u002Fli>\n\u003Cli>cluster: “on” – Enable custom marker clustering.\u003C\u002Fli>\n\u003Cli>cluster-color: Hex color (e.g., #ff5500) – Change the cluster icon color.\u003C\u002Fli>\n\u003Cli>zoom-cluster: 0-18 – Zoom level where clustering turns off (default 12).\u003C\u002Fli>\n\u003Cli>track-url: Direct URL to a .kml or .gpx file. Supports multiple URLs separated by commas.\u003C\u002Fli>\n\u003Cli>track-field: Slug of the Toolset custom field containing KML\u002FGPX URLs (for global tracks).\u003C\u002Fli>\n\u003Cli>grayscale: 0.1-1 – Grayscale intensity (default 0).\u003C\u002Fli>\n\u003Cli>labels\u002Froads: “on” – Show extra overlays.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>[aotm-advanced-osm-marker]\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>map-id: (Required) Must match your Toolset map ID.\u003C\u002Fli>\n\u003Cli>track-field: (Required) Slug of the Toolset File Field (KML or GPX).\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends Toolset Maps with professional OpenStreetMap features: Gutenberg Blocks, Satellite view, Custom Clustering, and KML\u002FGPX tracks integration.",733,"2026-01-22T19:01:00.000Z","6.5","7.0",[21,279,23,280,281],"maps","satellite-view","toolset","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fadvanced-osm-for-toolset-maps\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-osm-for-toolset-maps.3.0.1.zip",{"attackSurface":285,"codeSignals":359,"taintFlows":481,"riskAssessment":508,"analyzedAt":523},{"hooks":286,"ajaxHandlers":334,"restRoutes":344,"shortcodes":345,"cronEvents":358,"entryPointCount":237,"unprotectedCount":28},[287,293,298,302,306,310,313,316,319,323,326,330],{"type":288,"name":289,"callback":290,"file":291,"line":292},"action","admin_enqueue_scripts","osm_enqueue_scripts_styles","osm-metabox.php",59,{"type":294,"name":295,"callback":296,"file":51,"line":297},"filter","upload_mimes","osm_restrict_mime_types",166,{"type":294,"name":299,"callback":300,"priority":196,"file":51,"line":301},"wp_check_filetype_and_ext","allow_osm_upload",167,{"type":288,"name":303,"callback":304,"file":51,"line":305},"post-upload-ui","osm_restrict_mime_types_hint",324,{"type":288,"name":307,"callback":308,"file":51,"line":309},"add_meta_boxes","osm_map_create",340,{"type":288,"name":311,"callback":311,"file":51,"line":312},"wp_head",397,{"type":288,"name":314,"callback":314,"file":51,"line":315},"admin_head",398,{"type":288,"name":317,"callback":317,"file":51,"line":318},"admin_menu",399,{"type":288,"name":320,"callback":321,"file":51,"line":322},"wp_enqueue_scripts","load_osm_map_scripts",400,{"type":288,"name":320,"callback":324,"file":51,"line":325},"load_osm_map_v3_scripts",401,{"type":288,"name":327,"callback":328,"file":51,"line":329},"widgets_init","register_osm_widget",402,{"type":288,"name":331,"callback":332,"file":51,"line":333},"plugins_loaded","osm_load_plugin_textdomain",405,[335,340],{"action":336,"nopriv":55,"callback":337,"hasNonce":338,"hasCapCheck":338,"file":51,"line":339},"act_saveGeotag","saveGeotagAndPic",true,403,{"action":341,"nopriv":55,"callback":342,"hasNonce":338,"hasCapCheck":338,"file":51,"line":343},"act_saveMarker","savePostMarker",404,[],[346,350,354],{"tag":347,"callback":348,"file":51,"line":349},"osm_map","sc_showMap",408,{"tag":351,"callback":352,"file":51,"line":353},"osm_map_v3","sc_OL3JS",409,{"tag":355,"callback":356,"file":51,"line":357},"osm_info","sc_info",410,[],{"dangerousFunctions":360,"sqlUsage":361,"outputEscaping":371,"fileOperations":28,"externalRequests":28,"nonceChecks":56,"capabilityChecks":226,"bundledLibraries":480},[],{"prepared":108,"raw":56,"locations":362},[363,367,369],{"file":364,"line":365,"context":366},"osm-sc-info.php",27,"$wpdb->query() with variable interpolation",{"file":364,"line":368,"context":366},52,{"file":51,"line":370,"context":366},840,{"escaped":372,"rawEcho":373,"locations":374},140,57,[375,378,380,382,384,386,388,390,391,392,394,396,398,400,401,403,405,407,409,411,413,415,416,418,420,422,423,426,428,430,431,432,434,436,437,439,441,442,444,446,447,449,451,452,454,456,457,459,461,463,465,467,469,471,473,475,477],{"file":50,"line":376,"context":377},292,"raw output",{"file":50,"line":379,"context":377},376,{"file":50,"line":381,"context":377},377,{"file":50,"line":383,"context":377},378,{"file":50,"line":385,"context":377},379,{"file":50,"line":387,"context":377},380,{"file":50,"line":389,"context":377},381,{"file":291,"line":265,"context":377},{"file":291,"line":26,"context":377},{"file":291,"line":393,"context":377},155,{"file":291,"line":395,"context":377},197,{"file":291,"line":397,"context":377},198,{"file":291,"line":399,"context":377},199,{"file":291,"line":399,"context":377},{"file":291,"line":402,"context":377},216,{"file":291,"line":404,"context":377},295,{"file":291,"line":406,"context":377},323,{"file":291,"line":408,"context":377},345,{"file":291,"line":410,"context":377},346,{"file":291,"line":412,"context":377},361,{"file":291,"line":414,"context":377},365,{"file":291,"line":381,"context":377},{"file":364,"line":417,"context":377},44,{"file":364,"line":419,"context":377},45,{"file":364,"line":421,"context":377},68,{"file":364,"line":183,"context":377},{"file":424,"line":425,"context":377},"osm-widget.php",29,{"file":424,"line":427,"context":377},62,{"file":424,"line":429,"context":377},63,{"file":424,"line":429,"context":377},{"file":424,"line":429,"context":377},{"file":424,"line":433,"context":377},66,{"file":424,"line":435,"context":377},67,{"file":424,"line":435,"context":377},{"file":424,"line":438,"context":377},89,{"file":424,"line":440,"context":377},90,{"file":424,"line":440,"context":377},{"file":424,"line":443,"context":377},101,{"file":424,"line":445,"context":377},102,{"file":424,"line":445,"context":377},{"file":424,"line":448,"context":377},112,{"file":424,"line":450,"context":377},113,{"file":424,"line":450,"context":377},{"file":424,"line":453,"context":377},124,{"file":424,"line":455,"context":377},125,{"file":424,"line":455,"context":377},{"file":51,"line":458,"context":377},436,{"file":51,"line":460,"context":377},439,{"file":51,"line":462,"context":377},442,{"file":51,"line":464,"context":377},562,{"file":51,"line":466,"context":377},563,{"file":51,"line":468,"context":377},564,{"file":51,"line":470,"context":377},565,{"file":51,"line":472,"context":377},1225,{"file":51,"line":474,"context":377},1239,{"file":51,"line":476,"context":377},1260,{"file":478,"line":479,"context":377},"osm_map_v3\\osm-sc-osm_map_v3.php",144,[],[482,500],{"entryPoint":483,"graph":484,"unsanitizedCount":28,"severity":499},"options_page_osm (osm.php:447)",{"nodes":485,"edges":497},[486,491],{"id":487,"type":488,"label":489,"file":51,"line":490},"n0","source","$_POST (x3)",465,{"id":492,"type":493,"label":494,"file":51,"line":495,"wp_function":496},"n1","sink","update_option() [Settings Manipulation]",470,"update_option",[498],{"from":487,"to":492,"sanitized":338},"low",{"entryPoint":501,"graph":502,"unsanitizedCount":28,"severity":499},"\u003Cosm> (osm.php:0)",{"nodes":503,"edges":506},[504,505],{"id":487,"type":488,"label":489,"file":51,"line":490},{"id":492,"type":493,"label":494,"file":51,"line":495,"wp_function":496},[507],{"from":487,"to":492,"sanitized":338},{"summary":509,"deductions":510},"The \"osm\" v6.1.15 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals no critical or high-severity issues within the current code base, including dangerous functions, file operations, or external HTTP requests. The presence of nonce and capability checks on entry points is also a strength, indicating some adherence to WordPress security best practices. However, concerns arise from the vulnerability history, which shows a significant number of past CVEs, including one critical and one high-severity vulnerability. The common types of past vulnerabilities (XSS, SQL Injection, CSRF) suggest recurring weaknesses in input sanitization and output escaping, despite the current static analysis indicating that 70% of SQL queries use prepared statements and 71% of outputs are properly escaped. This suggests that while current code might be improved, past issues indicate a pattern of susceptible code that could be reintroduced or missed in future development.\n\nThe limited attack surface of 5 entry points, all with authentication checks, is a positive indicator. However, the history of 7 total CVEs, including a critical and high-severity one, coupled with past vulnerability types like SQL Injection and XSS, warrants caution. The plugin has a track record of security flaws, and even though there are no currently unpatched CVEs, the recurring nature of these vulnerabilities suggests potential ongoing risks if code review and sanitization practices are not rigorously maintained. The current static analysis results, while good for the current version, do not fully mitigate the risks posed by the plugin's past security performance.",[511,513,515,517,519,521],{"reason":512,"points":257},"Significant past CVEs including critical\u002Fhigh",{"reason":514,"points":196},"Past SQL Injection vulnerabilities",{"reason":516,"points":196},"Past XSS vulnerabilities",{"reason":518,"points":237},"Past CSRF vulnerabilities",{"reason":520,"points":237},"70% SQL prepared statements (potential raw SQL)",{"reason":522,"points":237},"71% output escaping (potential unescaped output)","2026-03-16T17:38:57.809Z",{"wat":525,"direct":562},{"assetPaths":526,"generatorPatterns":559,"scriptPaths":560,"versionParams":561},[527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,547],"\u002Fwp-content\u002Fplugins\u002Fosm\u002Fcss\u002Fosm_editor.css","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fcss\u002Fosm_map_viewer.css","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_viewer.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_editor.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fleaflet.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002FControl.Zoom.Steps.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_functions.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fmarkerclusterer.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_markers_display.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_base_map.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_layerswitcher.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_controls.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_data_source.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_options.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_popup.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_editor.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_selection.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_search.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_filter.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_marker_display.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_display.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_editor.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_controls.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_layerswitcher.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_data_source.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_options.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_popup.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_editor.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_selection.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_search.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_filter.js","\u002Fwp-content\u002Fplugins\u002Fosm\u002Fjs\u002Fosm_map_marker_display.js",[],[529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,547],[],{"cssClasses":563,"htmlComments":588,"htmlAttributes":624,"restEndpoints":634,"jsGlobals":638,"shortcodeOutput":643},[347,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587],"osm-custom-marker","osm-infobox-container","osm-infobox-title","osm-infobox-content","osm-editor-map","osm-editor-sidebar","osm-editor-layer-list","osm-editor-marker-form","osm-editor-marker-input","osm-editor-marker-textarea","osm-editor-marker-select","osm-editor-marker-save","osm-editor-marker-delete","osm-editor-marker-cancel","osm-editor-map-controls","osm-editor-map-layer-switcher","osm-editor-map-data-source","osm-editor-map-marker-options","osm-editor-map-marker-popup","osm-editor-map-marker-editor","osm-editor-map-marker-selection","osm-editor-map-marker-search","osm-editor-map-marker-filter","osm-editor-map-marker-display",[589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623],"\u003C!-- OSM Plugin -->","\u003C!-- OSM Plugin - Initialize Map -->","\u003C!-- OSM Plugin - Map Options -->","\u003C!-- OSM Plugin - Marker Options -->","\u003C!-- OSM Plugin - Pop-up Options -->","\u003C!-- OSM Plugin - Editor Options -->","\u003C!-- OSM Plugin - Selection Options -->","\u003C!-- OSM Plugin - Search Options -->","\u003C!-- OSM Plugin - Filter Options -->","\u003C!-- OSM Plugin - Display Options -->","\u003C!-- OSM Plugin - Base Map Options -->","\u003C!-- OSM Plugin - Layer Switcher Options -->","\u003C!-- OSM Plugin - Controls Options -->","\u003C!-- OSM Plugin - Data Source Options -->","\u003C!-- OSM Plugin - Initialize Editor -->","\u003C!-- OSM Plugin - Editor Sidebar -->","\u003C!-- OSM Plugin - Editor Layer List -->","\u003C!-- OSM Plugin - Editor Marker Form -->","\u003C!-- OSM Plugin - Editor Marker Input -->","\u003C!-- OSM Plugin - Editor Marker Textarea -->","\u003C!-- OSM Plugin - Editor Marker Select -->","\u003C!-- OSM Plugin - Editor Marker Save Button -->","\u003C!-- OSM Plugin - Editor Marker Delete Button -->","\u003C!-- OSM Plugin - Editor Marker Cancel Button -->","\u003C!-- OSM Plugin - Editor Map Controls -->","\u003C!-- OSM Plugin - Editor Map Layer Switcher -->","\u003C!-- OSM Plugin - Editor Map Data Source -->","\u003C!-- OSM Plugin - Editor Map Marker Options -->","\u003C!-- OSM Plugin - Editor Map Marker Popup -->","\u003C!-- OSM Plugin - Editor Map Marker Editor -->","\u003C!-- OSM Plugin - Editor Map Marker Selection -->","\u003C!-- OSM Plugin - Editor Map Marker Search -->","\u003C!-- OSM Plugin - Editor Map Marker Filter -->","\u003C!-- OSM Plugin - Editor Map Marker Display -->","\u003C!-- OSM Plugin - Map Display -->",[625,626,627,628,629,630,631,632,633],"data-osm-lat","data-osm-lon","data-osm-zoom","data-osm-marker-icon","data-osm-marker-title","data-osm-marker-content","data-osm-map-id","data-osm-editor-map-id","data-osm-editor-marker-id",[635,636,637],"\u002Fwp-json\u002Fosm\u002Fv1\u002Fsave_geotag","\u002Fwp-json\u002Fosm\u002Fv1\u002Fget_geotag","\u002Fwp-json\u002Fosm\u002Fv1\u002Fdelete_geotag",[639,640,641,642],"osm_map_viewer_options","osm_editor_options","osm_map_viewer","osm_editor",[644,645,646,647],"[map]","[osm_map]","[locations]","[osm_locations]",{"error":338,"url":649,"statusCode":343,"statusMessage":650,"message":650},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fosm\u002Fbundle","no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":652,"versions":653},15,[654,659,665,673,680,688,698,708,720,732,744,756,768,780,791],{"version":6,"download_url":25,"svn_tag_url":655,"released_at":38,"has_diff":55,"diff_files_changed":656,"diff_lines":38,"trac_diff_url":657,"vulnerabilities":658,"is_current":338},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.17\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.16&new_path=%2Fosm%2Ftags%2F6.1.17",[],{"version":40,"download_url":660,"svn_tag_url":661,"released_at":38,"has_diff":55,"diff_files_changed":662,"diff_lines":38,"trac_diff_url":663,"vulnerabilities":664,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.16.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.16\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.15&new_path=%2Fosm%2Ftags%2F6.1.16",[],{"version":666,"download_url":667,"svn_tag_url":668,"released_at":38,"has_diff":55,"diff_files_changed":669,"diff_lines":38,"trac_diff_url":670,"vulnerabilities":671,"is_current":55},"6.1.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.15.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.15\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.14&new_path=%2Fosm%2Ftags%2F6.1.15",[672],{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"version":90,"download_url":674,"svn_tag_url":675,"released_at":38,"has_diff":55,"diff_files_changed":676,"diff_lines":38,"trac_diff_url":677,"vulnerabilities":678,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.14.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.14\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.13&new_path=%2Fosm%2Ftags%2F6.1.14",[679],{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"version":67,"download_url":681,"svn_tag_url":682,"released_at":38,"has_diff":55,"diff_files_changed":683,"diff_lines":38,"trac_diff_url":684,"vulnerabilities":685,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.13.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.13\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.12&new_path=%2Fosm%2Ftags%2F6.1.13",[686,687],{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"version":689,"download_url":690,"svn_tag_url":691,"released_at":38,"has_diff":55,"diff_files_changed":692,"diff_lines":38,"trac_diff_url":693,"vulnerabilities":694,"is_current":55},"6.1.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.12.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.12\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.4&new_path=%2Fosm%2Ftags%2F6.1.12",[695,696,697],{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":699,"download_url":700,"svn_tag_url":701,"released_at":38,"has_diff":55,"diff_files_changed":702,"diff_lines":38,"trac_diff_url":703,"vulnerabilities":704,"is_current":55},"6.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.1.0&new_path=%2Fosm%2Ftags%2F6.1.4",[705,706,707],{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":709,"download_url":710,"svn_tag_url":711,"released_at":38,"has_diff":55,"diff_files_changed":712,"diff_lines":38,"trac_diff_url":713,"vulnerabilities":714,"is_current":55},"6.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.1.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.14&new_path=%2Fosm%2Ftags%2F6.1.0",[715,716,717,718,719],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":721,"download_url":722,"svn_tag_url":723,"released_at":38,"has_diff":55,"diff_files_changed":724,"diff_lines":38,"trac_diff_url":725,"vulnerabilities":726,"is_current":55},"6.0.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.14.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.14\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.13&new_path=%2Fosm%2Ftags%2F6.0.14",[727,728,729,730,731],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":733,"download_url":734,"svn_tag_url":735,"released_at":38,"has_diff":55,"diff_files_changed":736,"diff_lines":38,"trac_diff_url":737,"vulnerabilities":738,"is_current":55},"6.0.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.13.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.13\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.9&new_path=%2Fosm%2Ftags%2F6.0.13",[739,740,741,742,743],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":745,"download_url":746,"svn_tag_url":747,"released_at":38,"has_diff":55,"diff_files_changed":748,"diff_lines":38,"trac_diff_url":749,"vulnerabilities":750,"is_current":55},"6.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.8&new_path=%2Fosm%2Ftags%2F6.0.9",[751,752,753,754,755],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":757,"download_url":758,"svn_tag_url":759,"released_at":38,"has_diff":55,"diff_files_changed":760,"diff_lines":38,"trac_diff_url":761,"vulnerabilities":762,"is_current":55},"6.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.7&new_path=%2Fosm%2Ftags%2F6.0.8",[763,764,765,766,767],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":769,"download_url":770,"svn_tag_url":771,"released_at":38,"has_diff":55,"diff_files_changed":772,"diff_lines":38,"trac_diff_url":773,"vulnerabilities":774,"is_current":55},"6.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.6&new_path=%2Fosm%2Ftags%2F6.0.7",[775,776,777,778,779],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":156,"download_url":781,"svn_tag_url":782,"released_at":38,"has_diff":55,"diff_files_changed":783,"diff_lines":38,"trac_diff_url":784,"vulnerabilities":785,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fosm%2Ftags%2F6.0.5&new_path=%2Fosm%2Ftags%2F6.0.6",[786,787,788,789,790],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67},{"version":792,"download_url":793,"svn_tag_url":794,"released_at":38,"has_diff":55,"diff_files_changed":795,"diff_lines":38,"trac_diff_url":38,"vulnerabilities":796,"is_current":55},"6.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.0.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fosm\u002Ftags\u002F6.0.5\u002F",[],[797,798,799,800,801,802],{"id":98,"url_slug":99,"title":100,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":103},{"id":34,"url_slug":35,"title":36,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":40},{"id":151,"url_slug":152,"title":153,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":156},{"id":111,"url_slug":112,"title":113,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":116},{"id":85,"url_slug":86,"title":87,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":90},{"id":62,"url_slug":63,"title":64,"severity":41,"cvss_score":68,"vuln_type":70,"patched_in_version":67}]