CVE-2026-1096
Stored XSS in Best-wp-google-map Plugin via Shortcode Parameters
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raju_ahmed | best_wp_google_map | to 2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-1096 is a Stored Cross-Site Scripting (XSS) vulnerability in the Best-wp-google-map WordPress plugin, specifically in versions up to and including 2.1.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the plugin does not properly sanitize or escape the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode. Authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages via these parameters."}, {'type': 'paragraph', 'content': 'When a user accesses a page containing the injected shortcode, the malicious scripts execute in their browser, potentially compromising their session or data.'}, {'type': 'paragraph', 'content': 'Technically, the plugin outputs the latitude and longitude values directly into HTML and JavaScript without validation, allowing attackers to inject malicious code that runs client-side.'}] [3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with Contributor-level access or higher to inject malicious scripts into your WordPress site pages.
These scripts execute in the browsers of users who visit the affected pages, potentially leading to session hijacking, data theft, defacement, or other malicious actions.
Because the attack is stored, the malicious code persists on the site and affects all users who view the injected content.
The CVSS score of 6.4 indicates a medium severity with network attack vector, low attack complexity, and no user interaction required, emphasizing the risk of compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by inspecting WordPress sites using the Best-wp-google-map plugin version 2.1 or earlier, specifically looking for the presence of the 'google_map_view' shortcode with latitude and longitudinal parameters that are not properly sanitized."}, {'type': 'paragraph', 'content': 'One approach is to search the WordPress content for the shortcode usage and check if any injected scripts or suspicious content appear within the latitude or longitudinal parameters.'}, {'type': 'list_item', 'content': "Use WP-CLI or database queries to search for the shortcode in posts or pages, for example: `wp search-replace '\\[google_map_view.*latitude=.*\\]' '' --dry-run` to identify occurrences."}, {'type': 'list_item', 'content': 'Manually inspect pages containing the shortcode for unexpected script tags or unusual content in the latitude and longitudinal attributes.'}, {'type': 'list_item', 'content': "Use browser developer tools to check the HTML output of pages with the shortcode for unsanitized latitude and longitude values inside the 'coords' div."}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or removing the Best-wp-google-map plugin version 2.1 or earlier from your WordPress installation to prevent exploitation.'}, {'type': 'paragraph', 'content': 'Since the plugin has been temporarily closed and is no longer available for download pending a full security review, avoid using it until a patched version is released.'}, {'type': 'paragraph', 'content': 'Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at this level or above.'}, {'type': 'paragraph', 'content': "Review and sanitize any existing content that uses the 'google_map_view' shortcode to remove any injected scripts or malicious payloads."}, {'type': 'paragraph', 'content': 'Monitor your site for suspicious activity or unexpected script execution related to the map shortcode.'}] [2, 3]