Attack Vectors

The WordPress plugin Best-wp-google-map (slug: best-wp-google-map) is affected by a Medium severity vulnerability (CVSS 6.4) identified as CVE-2026-1096. The issue impacts all versions up to and including 2.1.

This is an authenticated Stored Cross-Site Scripting (XSS) risk. An attacker who already has access to your WordPress environment with Contributor-level permissions or higher can inject malicious scripts through the google_map_view shortcode by abusing the latitude and longitudinal parameters. Once injected, the script can run for anyone who later views the compromised page.

From a business-risk standpoint, this means the threat is most relevant in organizations where multiple users can publish or edit content (marketing teams, agencies, contractors, guest authors), or where accounts may be exposed through weak passwords, phishing, or reused credentials.

Security Weakness

The vulnerability exists because the plugin does not adequately sanitize the values provided to the shortcode attributes and does not properly escape output when rendering the map. As a result, attacker-supplied content can be stored in the page content and executed in visitors’ browsers.

Unlike a one-time popup or a temporary redirect, stored XSS persists until the malicious content is removed. That persistence increases exposure time and makes the issue more likely to affect executives, customers, partners, and internal teams who routinely view website pages.

Technical or Business Impacts

For leadership teams and compliance stakeholders, the key concern is that this vulnerability can enable attackers to run scripts in the context of your website, potentially undermining trust and business operations. Impacts may include:

Brand and customer trust damage: Visitors may see altered content, unexpected prompts, or suspicious behavior on your website, which can reduce confidence in your brand and hurt conversion rates.

Account and session risk: Because scripts run in a user’s browser when they visit an affected page, attackers may be able to take actions that rely on the user’s active session. This raises risk for privileged users who browse the site while logged in.

Data exposure and compliance pressure: If the affected pages are used in marketing campaigns, landing pages, or customer portals, the presence of malicious scripts can create incident response and disclosure obligations depending on what data is exposed and which regulations apply.

Operational disruption: Investigation, content review, emergency changes, and stakeholder communications can consume significant time and budget—often during revenue-critical periods.

Similar Attacks

Stored XSS has been repeatedly used in real-world incidents to compromise sites, inject malicious content, and target site administrators and visitors. Examples include:

Elementor Pro vulnerability write-up (Wordfence)

Revolution Slider exploitation coverage (Wordfence)

Examples of XSS in WordPress plugins (Wordfence)

For this specific issue in Best-wp-google-map, there is currently no known patch available. Organizations should evaluate mitigation options based on risk tolerance, including restricting Contributor-level publishing access, auditing pages using the google_map_view shortcode, increasing monitoring for unusual content changes, and strongly considering uninstalling and replacing the affected plugin if the business impact of a website compromise is unacceptable.