Stored Cross-Site Scripting Vulnerability in WP Google Street View Plugin by WordPress
CVE-2026-0563

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Google Street View (with 360° Virtual Tour) & Google Maps + Local Seo
Vendor: CVE Published:; 9 January 2026

What is CVE-2026-0563?

The WP Google Street View & Google maps + Local SEO plugin for WordPress has a vulnerability that allows authenticated users with contributor level access and above to exploit the 'wpgsv_map' shortcode. This results from inadequate input sanitization and output escaping, enabling attackers to inject arbitrary scripts in web pages. Once the page is accessed, these scripts can execute, potentially compromising the security of users accessing the site.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Google Street View (with 360° virtual tour) & Google maps + Local SEO * <= 1.1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3432185/wp-g...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Paolo Tresso

JSON

WordPress