WordPress Locatoraid Store Locator Plugin <= 3.9.18 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Locatoraid Store Locator plugin for WordPress (versions up to and including 3.9.18) [1] is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping. The vulnerability is present in the plugin's handling of location data, allowing authenticated users with subscriber-level privileges to inject arbitrary JavaScript code that gets stored and executed when other users view the affected page.

Exploitation

An attacker must have a valid WordPress account with at least subscriber-level permissions. They can exploit the vulnerability by submitting malicious input through forms or fields that store location data, such as location name, address, or custom fields. The injected script is stored in the database and executed in the browsers of users (including administrators) who view the location listings or maps rendered by the plugin.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, theft of cookies, defacement of the site, or redirection to malicious sites. The scope is limited to the WordPress installation's user sessions and data accessible via the authenticated user's privileges.

Mitigation

The vendor has addressed the vulnerability in version 3.9.19 and later [1]. Users are strongly advised to update the Locatoraid Store Locator plugin to the latest version (3.9.70 or higher). No workarounds are publicly available.