CVE-2026-1096 in Best-wp-google-map Plugin
Summary
by MITRE • 02/14/2026
The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified in CVE-2026-1096 affects the Best-wp-google-map plugin for WordPress, specifically targeting versions up to and including 2.1. This represents a critical security flaw that undermines the integrity of WordPress installations using this plugin. The vulnerability manifests through the google_map_view shortcode functionality, which processes latitude and longitudinal parameters that are susceptible to malicious input injection. The issue stems from inadequate input validation mechanisms and insufficient output escaping procedures within the plugin's codebase, creating a pathway for persistent cross-site scripting attacks that can compromise user sessions and data integrity.
The technical exploitation of this vulnerability occurs through stored cross-site scripting mechanisms that allow authenticated attackers with contributor-level privileges or higher to inject malicious scripts into the plugin's configuration parameters. When users access pages containing the injected content, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or further compromise of the affected WordPress installation. This vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a weakness where untrusted data is used to generate web content without proper validation or escaping, making it a prime target for attackers seeking to exploit user trust and browser execution contexts.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to manipulate the plugin's functionality and potentially gain unauthorized access to sensitive user data. Contributors and above typically have the ability to modify posts and pages, which means that an attacker with such privileges can embed malicious code that persists across multiple page views and user sessions. The stored nature of this XSS vulnerability means that the malicious content remains embedded in the system until manually removed, creating a persistent threat vector that can affect any user who accesses pages containing the compromised shortcode parameters. This vulnerability also aligns with ATT&CK technique T1059.007 for Scripting, as it enables attackers to execute malicious scripts through legitimate plugin interfaces.
Mitigation strategies for CVE-2026-1096 should prioritize immediate plugin updates to the latest available version that addresses the sanitization and escaping issues. Administrators should implement strict input validation and output escaping mechanisms for all user-provided parameters within the plugin's shortcode functionality. Additionally, privilege escalation controls should be enforced to limit the scope of damage that authenticated users can inflict, particularly concerning plugin configuration modifications. Regular security audits of WordPress plugins and maintaining updated security practices including the principle of least privilege access are essential measures to prevent exploitation of similar vulnerabilities in the future. The vulnerability also underscores the importance of implementing comprehensive content security policies and monitoring for unauthorized modifications to plugin configurations.