CVE-2026-9061

Vulnerability

The Store Locator WordPress plugin versions before 1.6.9 fail to sanitize and escape the store logo metadata (e.g., logo_name) before storing it and outputting it on the plugin's admin page. This allows high-privileged users such as administrators to inject arbitrary JavaScript. The vulnerability is particularly impactful in multisite networks where the unfiltered_html capability is disallowed, as the plugin's lack of sanitization bypasses that restriction. [1]

Exploitation

An attacker with administrator-level access to the WordPress admin panel can upload or modify store logo metadata containing malicious JavaScript. The stored payload is then executed when the admin page is viewed by other administrators or users with access to that page. No additional user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the admin page. This can result in session hijacking, defacement, or further compromise of the WordPress site. The attack bypasses the unfiltered_html capability restriction, making it especially dangerous in multisite environments. [1]

Mitigation

The vulnerability is fixed in version 1.6.9 of the Store Locator plugin, released on or before 2026-05-23. Users should update to version 1.6.9 or later immediately. No workarounds are provided in the reference. [1]