The Store Locator WordPress plugin stores the map_style setting without sanitizing or escaping the input before rendering it on the plugin’s admin page. Administrators can inject malicious script code into this setting, which is then executed in the browser context of any user who views the admin page. The vulnerability allows arbitrary client‑side code execution, potentially leading to defacement, credential theft, or session hijacking within the WordPress installation.

All installations of the Store Locator WordPress plugin with a version earlier than 1.6.6. The plugin is listed as an "Unknown:Store Locator WordPress" product. No further version granularity is provided, so any stale deployment that has not applied the 1.6.6 update is susceptible.

The CVSS score is 3.5, but the EPSS score is not disclosed and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation as of this analysis. Nevertheless the attack requires administrator privileges to inject the payload; once injected, the stored XSS will run for every visitor of the admin page. The risk is low, reflecting the CVSS score, but it still allows client‑side code execution that could be used for defacement or credential theft on sites with broad admin privileges. The attack vector is via the authenticated admin interface, and the vulnerability could be leveraged for in‑browser attacks against site administrators and other users who view the page.