Executive Summary

The Store Locator WordPress plugin before version 1.6.9 has a stored Cross-Site Scripting (XSS) vulnerability. This happens because the plugin does not properly sanitize and escape the store logo metadata, specifically the logo name, before storing and displaying it on the admin page.

This flaw allows high-privileged users, such as administrators, to inject malicious scripts via the logo metadata. Even if the `unfiltered_html` capability is disabled (for example, in a multisite WordPress network), an attacker with administrative access can exploit this by sending a crafted AJAX request to update the logo name with malicious code. When an administrator later views the logo management page, the injected script executes in their browser.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to stored Cross-Site Scripting attacks within the WordPress admin interface. An attacker with administrative privileges can inject malicious scripts that execute when other administrators view the affected page.

• Execution of arbitrary JavaScript code in the context of the admin user’s browser session.
• Potential theft of sensitive information such as authentication cookies or tokens.
• Performing unauthorized actions on behalf of the administrator.
• Compromise of the WordPress site’s administrative control and security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Agile Store Locator WordPress plugin version is prior to 1.6.9, as those versions are vulnerable to stored Cross-Site Scripting (XSS) attacks via the store logo metadata.

Detection involves verifying if malicious scripts have been injected into the logo_name parameter by an administrator. This can be done by inspecting the logo management page for unexpected script execution or by reviewing AJAX requests that update the logo name.

A practical approach is to monitor or capture AJAX requests to the plugin's logo update endpoint and check for suspicious payloads in the logo_name parameter.

• Use browser developer tools or a proxy tool (e.g., Burp Suite) to intercept AJAX requests updating the logo_name parameter.
• Check the plugin version via WP-CLI: `wp plugin get agile-store-locator --field=version` to confirm if it is below 1.6.9.
• Manually inspect the logo management admin page for any unexpected script execution or injected HTML.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to update the Agile Store Locator WordPress plugin to version 1.6.9 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict administrative access to trusted users only, as exploitation requires high-privileged user access.

Additionally, monitor and audit any changes to the store logo metadata, especially the logo_name parameter, to detect any suspicious activity.

Consider disabling or limiting AJAX requests that update the logo_name parameter if possible, or implement additional input sanitization at the web application firewall (WAF) level.

Useful 0 Not Useful 0