CVE Catalog

CVE-2026-9061

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

The Store Locator WordPress plugin before version 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed.

Risk Assessment

The organization may be exposed to XSS attacks that could lead to data theft or takeover of administrator accounts, jeopardizing the security of the entire infrastructure.

Recommendation

It is recommended to update the Store Locator plugin to version 1.6.9 or later to eliminate this vulnerability and conduct a security audit to identify potential threats.

Original NVD description (English source)

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS