CVE-2026-1096 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Best-wp-google-map plugin for WordPress, maintained by raju_ahmed. The flaw exists in all plugin versions up to and including 2.1, where the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode are not properly sanitized or escaped before being rendered on web pages. This improper neutralization of input (CWE-79) allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or other malicious activities. The vulnerability requires no user interaction beyond viewing the affected page and does not require elevated privileges beyond Contributor access, which is commonly granted in WordPress sites for content creation. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The absence of official patches at the time of reporting necessitates immediate mitigation measures.

This vulnerability can lead to unauthorized script execution in the context of affected WordPress sites, compromising user sessions and potentially exposing sensitive information such as authentication tokens or personal data. Attackers with Contributor-level access can leverage this flaw to escalate their impact by injecting persistent malicious scripts, which execute for all users visiting the infected pages. This undermines the confidentiality and integrity of the site and its users. While availability is not directly affected, the reputational damage and potential data breaches can have severe operational and financial consequences. Organizations relying on the Best-wp-google-map plugin are at risk of targeted attacks, especially if they have multiple contributors or allow external users to contribute content. The vulnerability's scope includes any WordPress installation using this plugin, which is common in many small to medium-sized businesses, non-profits, and personal websites globally.

Immediate mitigation involves restricting Contributor-level user permissions to trusted individuals only and auditing existing content for suspicious scripts. Site administrators should disable or remove the Best-wp-google-map plugin until a patched version is released. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'latitude' and 'longitudinal' parameters can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Regularly updating WordPress core and plugins, monitoring logs for unusual activity, and educating contributors about safe input practices are essential. Once a vendor patch is available, prompt application is critical. For sites where patching is delayed, consider sanitizing inputs at the application or database level as a stopgap measure.