Description
The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Store Locator WordPress plugin stores the map_style setting without sanitizing or escaping the input before rendering it on the plugin’s admin page. Administrators can inject malicious script code into this setting, which is then executed in the browser context of any user who views the admin page. The vulnerability allows arbitrary client‑side code execution, potentially leading to defacement, credential theft, or session hijacking within the WordPress installation.

Affected Systems

All installations of the Store Locator WordPress plugin with a version earlier than 1.6.6. The plugin is listed as an "Unknown:Store Locator WordPress" product. No further version granularity is provided, so any stale deployment that has not applied the 1.6.6 update is susceptible.

Risk and Exploitability

The CVSS score is not available, but the EPSS score is not disclosed and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation as of this analysis. Nevertheless the attack requires administrator privileges to inject the payload; once injected, the stored XSS will run for every visitor of the admin page. The risk is moderate to high for sites with unrestricted admin access or poorly configured user roles. The attack vector is via the authenticated admin interface, and the vulnerability could be leveraged for in‑browser attacks against site administrators and other users who view the page.

Generated by OpenCVE AI on June 10, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Store Locator WordPress plugin to version 1.6.6 or later, which properly sanitizes the map_style input.
  • If updating immediately is not possible, restrict the map_style option to the smallest set of trusted administrators, or remove the option entirely until the patch is applied.
  • Implement a site‑wide content sanitization policy or use a security plugin that enforces encoding on all administrative inputs to prevent future unescaped data storage.

Generated by OpenCVE AI on June 10, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).
Title Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-10T06:00:11.834Z

Reserved: 2026-05-20T07:36:52.264Z

Link: CVE-2026-9060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T07:16:25.473

Modified: 2026-06-10T07:16:25.473

Link: CVE-2026-9060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T07:30:25Z

Weaknesses