CVE-2026-0563 in WP Google Street View Plugin
Summary
by MITRE • 01/09/2026
The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/09/2026
The vulnerability identified as CVE-2026-0563 affects the WP Google Street View plugin for WordPress, a widely used tool that integrates google maps and street view functionality with 360 degree virtual tours. This plugin enables website administrators to embed interactive maps and virtual tours into their wordpress sites through shortcode implementation. The vulnerability exists specifically within the 'wpgsv_map' shortcode functionality and impacts all versions up to and including 1.1.8, representing a critical security flaw that could compromise entire wordpress installations when exploited by malicious actors with appropriate privileges.
The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's shortcode processing code. When administrators or contributors create or modify map shortcodes, the plugin fails to properly validate or sanitize user-supplied input parameters before storing them in the database. This allows malicious actors to inject malicious javascript code directly into the shortcode parameters, which are then stored persistently within the wordpress database. The vulnerability is classified as stored cross-site scripting since the malicious code is not executed immediately but rather stored and executed whenever any user accesses a page containing the compromised shortcode, making it particularly dangerous as the attack surface expands with each affected page.
The operational impact of this vulnerability is significant for wordpress site administrators who rely on the plugin for their mapping functionality. Attackers with contributor level access or higher can exploit this vulnerability to inject malicious scripts that will execute in the browsers of any user who visits pages containing the compromised shortcodes. This creates a persistent threat vector that can be used to steal user sessions, perform unauthorized actions on behalf of users, redirect visitors to malicious websites, or even execute more sophisticated attacks such as credential harvesting or browser exploitation. The vulnerability is particularly concerning because it requires minimal privileges to exploit and can affect any user who accesses the compromised content, making it a potent tool for mass compromise.
The vulnerability aligns with CWE-79 which describes cross-site scripting flaws resulting from insufficient input validation and output escaping. From an attack perspective, this vulnerability maps to ATT&CK technique T1566.001 which involves social engineering through malicious content injection. The attack chain typically involves gaining contributor level access through credential compromise or social engineering, creating malicious shortcodes, and then waiting for unsuspecting users to access the compromised pages. Organizations should immediately update to the latest version of the plugin if available, implement proper input validation for shortcode parameters, and consider restricting contributor-level access to prevent unauthorized shortcode modifications. Additionally, monitoring for suspicious shortcode usage and implementing content security policies can help mitigate the risk of exploitation.
Security practitioners should also note that this vulnerability represents a common pattern in wordpress plugin development where input validation is insufficiently implemented. The attack surface extends beyond the immediate plugin functionality to encompass all pages where the affected shortcode is used, making it crucial for administrators to audit their entire site for potentially compromised content. Regular security audits of installed plugins, particularly those with administrative or contributor-level functionality, are essential to prevent similar vulnerabilities from being exploited in the future. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly those handling user-generated content through shortcode or similar mechanisms.