VYPR
← All advisories
Low severity3.5NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-9060

CVE-2026-9060

Description

Store Locator WordPress plugin 1.6.5 and earlier is vulnerable to Stored XSS via the map_style setting, affecting high-privileged users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Store Locator WordPress plugin 1.6.5 and earlier is vulnerable to Stored XSS via the map_style setting, affecting high-privileged users.

Vulnerability

The Store Locator WordPress plugin before version 1.6.6 fails to properly sanitize and escape a setting before it is stored and later outputted on the plugin's admin page. This vulnerability exists in versions prior to 1.6.6.

Exploitation

An attacker with high privileges, such as an administrator, can exploit this vulnerability by injecting malicious scripts into the map_style setting. This attack can be successful even when the unfiltered_html capability is disallowed, such as when a super administrator visits the page in a multisite network [1].

Impact

Successful exploitation allows a high-privileged user to execute arbitrary JavaScript in the context of other administrators or users who view the affected admin page. This can lead to Stored Cross-Site Scripting (XSS) attacks, potentially compromising user sessions or performing actions on behalf of the user.

Mitigation

The vulnerability is fixed in version 1.6.6 of the Store Locator WordPress plugin. Users should update to this version or later to mitigate the risk. No other mitigation details are available in the provided references.

References
  1. Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.