CVE-2026-1096

The Best-wp-google-map plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'google_map_view' shortcode. The 'latitude' and 'longitudinal' parameters are insufficiently sanitized and escaped, allowing attackers to inject arbitrary JavaScript code. This issue affects all versions up to and including 2.1 [1].

To exploit this, an attacker must have at least Contributor-level access to the WordPress site. They can inject malicious scripts via the shortcode parameters when creating or editing posts or pages. The injected script is stored and executed whenever a user accesses the affected page, including higher-privileged users like administrators.

Successful exploitation could lead to session hijacking, defacement, or redirection to malicious sites. The plugin has been closed as of February 12, 2026, and is no longer available for download [1]. Users should immediately replace the plugin with an alternative and remove any instances of the vulnerable shortcode.