CVE-2026-3361 - Vulnerability Details

- WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta

Description

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.

Published: 2026-04-23

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Store Locator plugin contains a stored cross‑site scripting vulnerability that allows authenticated users with contributor‑level access or higher to insert arbitrary JavaScript into the wpsl_address post meta field. The injected script is rendered when a user views a page containing the affected store entry or opens a map marker info window, providing the attacker with the ability to deface content, hijack sessions, or delivery malware to end users.

Affected Systems

WordPress sites running the WP Store Locator plugin version 2.2.261 or earlier are affected. The plugin is developed by tijmensmit and the vulnerable code resides in the wpsl_address post meta handler.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1%, so exploitation is considered unlikely but not impossible. It is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges and must be able to create or edit store entries; once the malicious content is stored, any visitor who loads the affected page or map marker will execute the injected script.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tijmensmit

WP Store Locator

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.261

No data.

Vendor Product Confidence Versions

Tijmensmit

Wp Store Locator

100%

Version	Status	Scheme	Platform
`[0,2.2.261]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP Store Locator to the latest version (currently 2.2.262 or later).
If a patch is not immediately available, remove the wpsl_address field from posts or replace its value with a sanitized version, ensuring no script tags or event handlers are present.
Revoke or reduce contributor roles on the WordPress site, limiting who can modify store entries until the issue is resolved.

Generated by OpenCVE AI on April 28, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tijmensmit Tijmensmit wp Store Locator Wordpress Wordpress wordpress
Vendors & Products		Tijmensmit Tijmensmit wp Store Locator Wordpress Wordpress wordpress

Thu, 23 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.
Title		WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Tijmensmit Wp Store Locator

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-23T03:26:36.668Z

Updated: 2026-04-23T14:00:30.776Z

Reserved: 2026-02-27T19:42:11.662Z

Link: CVE-2026-3361

Vulnrichment

Updated: 2026-04-23T14:00:26.884Z

NVD

Status : Deferred

Published: 2026-04-23T04:16:18.807

Modified: 2026-04-23T14:28:55.557

Link: CVE-2026-3361

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object