Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Best-wp-google-map plugin lets attackers inject malicious scripts
CVE-2026-1096
Summary
The Best-wp-google-map plugin for WordPress is at risk if you have a contributor or above user with malicious intent. They can inject malicious scripts into your website that will run when users visit the affected page. Update to a fixed version of the plugin to protect your site.
Original title
The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode in all versions up to, a...
Original description
The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/best-wp-google-map/tags/2.1/plug-hook...
- https://plugins.trac.wordpress.org/browser/best-wp-google-map/trunk/plug-hook.ph...
- https://wordpress.org/plugins/best-wp-google-map/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b3219b17-03b8-44c3-bf3...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026