CVE Catalog

CVE-2026-9060

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile — higher than 8% of all known CVEs

Summary

The Store Locator WordPress plugin before version 1.6.6 does not sanitize and escape one of its settings before storing and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks.

Risk Assessment

The organization may be exposed to XSS attacks that could lead to data theft or account takeover by unauthorized users, even when the unfiltered HTML capability is disallowed.

Recommendation

It is recommended to update the Store Locator plugin to version 1.6.6 or later to mitigate this vulnerability and to regularly monitor and audit the plugins in use.

Original NVD description (English source)

The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS