CVE-2026-1096 identifies a stored Cross-Site Scripting vulnerability in the Best-wp-google-map plugin for WordPress, present in all versions up to and including 2.1. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'latitude' and 'longitudinal' parameters within the 'google_map_view' shortcode. Authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code via these parameters because the plugin fails to adequately sanitize and escape user input before rendering it on pages. When other users access the affected pages, the malicious scripts execute in their browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions within the context of the victim's browser session. The CVSS 3.1 vector indicates a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with a scope change (S:C) and impacts on confidentiality and integrity but not availability. No patches or official fixes are currently available, and no known exploits have been observed in the wild. The vulnerability is particularly concerning for WordPress sites with multiple contributors or editors, as it allows relatively low-privileged users to escalate their impact through persistent script injection.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications using the Best-wp-google-map plugin. Exploitation could lead to session hijacking, unauthorized access to sensitive data, defacement of websites, and distribution of malware through injected scripts. Organizations relying on WordPress for public-facing websites or intranet portals with multiple contributors are especially vulnerable. The compromise of user sessions or administrative accounts could facilitate further lateral movement or data breaches. Given the widespread use of WordPress across Europe, the vulnerability could affect a broad range of sectors including government, education, e-commerce, and media. The absence of known exploits in the wild currently reduces immediate risk, but the ease of exploitation by authenticated users means that insider threats or compromised contributor accounts could be leveraged. The medium severity rating reflects the need for timely mitigation to prevent escalation.

European organizations should implement the following specific measures: 1) Immediately audit and restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious input. 2) Monitor and review usage of the 'google_map_view' shortcode in site content to detect any suspicious or unauthorized parameter values. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the latitude and longitudinal parameters. 4) Encourage developers and site administrators to apply input validation and output encoding best practices in custom plugins or themes. 5) Stay alert for official patches or updates from the plugin vendor and prioritize their deployment once available. 6) Consider temporarily disabling or replacing the Best-wp-google-map plugin with alternative mapping solutions until a fix is released. 7) Educate content contributors about the risks of injecting untrusted content and enforce strict content review policies. 8) Regularly back up website data and configurations to enable rapid recovery in case of compromise.