CVE-2026-0563 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'WP Google Street View (with 360° virtual tour) & Google maps + Local SEO' developed by pagup. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, the 'wpgsv_map' shortcode does not adequately sanitize or escape user-supplied input before rendering it on pages. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript payloads into WordPress pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, stealing cookies, or performing actions on behalf of the victim. The vulnerability affects all plugin versions up to and including 1.1.8. The CVSS 3.1 base score is 6.4, reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impact on confidentiality and integrity (C:L, I:L) but not availability (A:N). The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No public exploits are currently known, but the presence of stored XSS in a widely used WordPress plugin poses a significant risk, especially in environments with multiple contributors. The vulnerability can be exploited remotely over the network by authenticated users, making it a moderate but actionable threat.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, resulting in session hijacking, credential theft, defacement, or malware distribution. Organizations relying on WordPress sites with multiple contributors, such as content teams or marketing departments, are particularly vulnerable since contributor-level access suffices for exploitation. The compromise of user sessions or administrative accounts could lead to further lateral movement or data breaches. This risk is heightened for public-facing websites with high traffic, including e-commerce, local business directories, and tourism-related sites that use Google Maps integrations. The integrity and confidentiality of user data and organizational information may be impacted, undermining trust and potentially violating GDPR if personal data is exposed. Although availability is not directly affected, reputational damage and remediation costs can be significant. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly once disclosed.

Immediate mitigation involves monitoring for plugin updates from the vendor and applying patches as soon as they are released. Until an official patch is available, organizations should restrict contributor-level permissions to trusted users only and audit existing content for suspicious shortcode usage. Implementing Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'wpgsv_map' shortcode can reduce exploitation risk. Site administrators should enforce strict input validation and output encoding on shortcode parameters, potentially via custom plugin modifications or security plugins that sanitize inputs. Regular security reviews and user role audits will limit the attack surface. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Logging and monitoring web traffic for anomalous behavior related to shortcode usage can provide early detection. Finally, educating contributors about the risks of injecting untrusted content is recommended.