CVE-2026-4268 is a stored cross-site scripting vulnerability identified in the WP Go Maps plugin for WordPress, formerly known as WP Google Maps. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the 'wpgmza_custom_js' parameter. The root cause is insufficient input sanitization and output escaping, coupled with a missing capability check in the 'admin_post_wpgmza_save_settings' hook's anonymous function. This flaw allows an authenticated attacker with Subscriber-level permissions or higher to inject arbitrary JavaScript code that is stored persistently within the plugin's settings. When any user accesses a page containing the injected script, the malicious code executes in their browser context. The vulnerability is exploitable remotely over the network without user interaction but requires the attacker to have at least minimal authenticated access. The CVSS v3.1 base score is 6.4, indicating a medium severity with impacts on confidentiality and integrity but no direct impact on availability. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. No public exploits have been reported yet, but the vulnerability poses a risk of session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The vulnerability affects all versions up to and including 10.0.05 of the WP Go Maps plugin. Given the widespread use of WordPress and this plugin, the vulnerability has broad potential impact.

The primary impact of CVE-2026-4268 is the potential for attackers with low-level authenticated access (Subscriber or higher) to inject persistent malicious scripts into WordPress sites using the WP Go Maps plugin. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and potential privilege escalation. Since the injected scripts execute in the context of any user visiting the affected pages, including administrators, the confidentiality and integrity of user sessions and data are at risk. Although availability is not directly impacted, the resulting compromise could lead to further attacks or site defacement. Organizations relying on this plugin for map functionality on their WordPress sites face reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The requirement for authenticated access limits exploitation somewhat, but many WordPress sites allow user registrations or have multiple user roles, increasing the attack surface. The vulnerability's network exploitability and lack of user interaction requirement make it a credible threat in environments with untrusted or semi-trusted users.

To mitigate CVE-2026-4268, organizations should immediately update the WP Go Maps plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should restrict user roles to trusted individuals only, removing or limiting Subscriber-level access where possible. Implementing strict input validation and output encoding for the 'wpgmza_custom_js' parameter at the application level can reduce risk. Additionally, applying a Web Application Firewall (WAF) with custom rules to detect and block suspicious JavaScript payloads targeting this parameter can provide temporary protection. Regularly auditing user accounts and monitoring for unusual activity can help detect exploitation attempts. Disabling or removing the plugin if it is not essential reduces the attack surface. Site administrators should also ensure WordPress core and all plugins are kept up to date and follow the principle of least privilege for user roles. Finally, educating users about the risks of XSS and monitoring logs for signs of injection attempts are recommended.