VYPR

Store Locator

by WordPress

Source repositories

CVEs (15)

  • CVE-2024-12571CriDec 20, 2024
    risk 0.65cvss 9.8epss 0.01

    The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…

  • CVE-2014-8621CriOct 16, 2017
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.

  • CVE-2025-23422HigJan 24, 2025
    risk 0.49cvss 7.5epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in moaluko Store Locator store-locator allows PHP Local File Inclusion.This issue affects Store Locator: from n/a through <= 3.98.10.

  • CVE-2025-10754HigOct 15, 2025
    risk 0.47cvss 7.2epss 0.01

    The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Editor-level access…

  • CVE-2024-9652MedOct 16, 2024
    risk 0.40cvss 6.1epss 0.00

    The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2023-4151MedSep 4, 2023
    risk 0.40cvss 6.1epss 0.01

    The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2022-41615MedNov 18, 2022
    risk 0.40cvss 6.1epss 0.00

    Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress.

  • CVE-2023-27618MedJun 22, 2023
    risk 0.38cvss 5.9epss 0.00

    Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in AGILELOGIX Store Locator WordPress plugin <= 1.4.9 versions.

  • CVE-2022-4832MedJan 23, 2023
    risk 0.35cvss 5.4epss 0.00

    The Store Locator WordPress plugin before 1.4.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used…

  • CVE-2022-0493MedMar 28, 2022
    risk 0.32cvss 4.9epss 0.01

    The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search,…

  • CVE-2026-9061LowJun 13, 2026
    risk 0.23cvss 3.5epss 0.00

    The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site…

  • CVE-2026-9060LowJun 10, 2026
    risk 0.23cvss 3.5epss 0.00

    The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site…

  • CVE-2026-9062LowJun 13, 2026
    risk 0.22cvss 3.4epss 0.00

    The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and…

  • CVE-2024-12301May 15, 2025
    risk 0.00cvss epss 0.00

    The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

  • CVE-2024-12414Dec 13, 2024
    risk 0.00cvss epss 0.00

    The Themify Store Locator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the setting_page() function. This makes it possible for unauthenticated attackers to…