CVE-2026-9060: CWE-79 Cross-Site Scripting (XSS) in Store Locator WordPress
A stored cross-site scripting (XSS) vulnerability exists in the Store Locator WordPress plugin before version 1. 6. 6. The vulnerability arises because one of the plugin's settings is not properly sanitized or escaped before storage and output on the plugin's admin page. This allows high-privileged users, such as administrators, to execute stored XSS attacks even if the 'unfiltered_html' capability is disabled, such as in multisite network environments.
AI Analysis
Technical Summary
The Store Locator WordPress plugin versions prior to 1.6.6 contain a stored cross-site scripting vulnerability (CWE-79). This occurs because the plugin fails to sanitize and escape one of its settings before storing and rendering it on the admin page. As a result, high-privileged users including administrators can inject malicious scripts that persist and execute when the affected admin page is viewed. This vulnerability bypasses restrictions like the 'unfiltered_html' capability, increasing risk in multisite WordPress networks.
Potential Impact
An attacker with high-level privileges (e.g., administrator) can exploit this vulnerability to perform stored XSS attacks within the WordPress admin interface. This could lead to execution of arbitrary JavaScript in the context of the admin user, potentially enabling session hijacking, privilege escalation, or other malicious actions. However, exploitation requires administrative access, limiting the scope to trusted users with elevated permissions.
Mitigation Recommendations
No official fix or patch is currently confirmed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and monitor for suspicious activity. Avoid using affected versions if possible and apply updates once version 1.6.6 or later is released.
CVE-2026-9060: CWE-79 Cross-Site Scripting (XSS) in Store Locator WordPress
Description
A stored cross-site scripting (XSS) vulnerability exists in the Store Locator WordPress plugin before version 1. 6. 6. The vulnerability arises because one of the plugin's settings is not properly sanitized or escaped before storage and output on the plugin's admin page. This allows high-privileged users, such as administrators, to execute stored XSS attacks even if the 'unfiltered_html' capability is disabled, such as in multisite network environments.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Store Locator WordPress plugin versions prior to 1.6.6 contain a stored cross-site scripting vulnerability (CWE-79). This occurs because the plugin fails to sanitize and escape one of its settings before storing and rendering it on the admin page. As a result, high-privileged users including administrators can inject malicious scripts that persist and execute when the affected admin page is viewed. This vulnerability bypasses restrictions like the 'unfiltered_html' capability, increasing risk in multisite WordPress networks.
Potential Impact
An attacker with high-level privileges (e.g., administrator) can exploit this vulnerability to perform stored XSS attacks within the WordPress admin interface. This could lead to execution of arbitrary JavaScript in the context of the admin user, potentially enabling session hijacking, privilege escalation, or other malicious actions. However, exploitation requires administrative access, limiting the scope to trusted users with elevated permissions.
Mitigation Recommendations
No official fix or patch is currently confirmed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and monitor for suspicious activity. Avoid using affected versions if possible and apply updates once version 1.6.6 or later is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-05-20T07:36:52.264Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2907048dd33fbd85fa86ab
Added to database: 6/10/2026, 6:41:08 AM
Last enriched: 6/10/2026, 6:55:51 AM
Last updated: 6/10/2026, 7:48:39 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.