Stored Cross-Site Scripting Vulnerability in WP Google Street View Plugin by WordPress
CVE-2026-0563

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Google Street View (with 360° Virtual Tour) & Google Maps + Local Seo
Vendor: CVE Published:; 9 January 2026

What is CVE-2026-0563?

The WP Google Street View & Google maps + Local SEO plugin for WordPress has a vulnerability that allows authenticated users with contributor level access and above to exploit the 'wpgsv_map' shortcode. This results from inadequate input sanitization and output escaping, enabling attackers to inject arbitrary scripts in web pages. Once the page is accessed, these scripts can execute, potentially compromising the security of users accessing the site.

Affected Version(s)

WP Google Street View (with 360° virtual tour) & Google maps + Local SEO 0 <= 1.1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3432185/wp-g...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Paolo Tresso

CVE-2026-0563 Data

JSON