CVE-2026-9061
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
The Store Locator WordPress plugin before version 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed.
Risk Assessment
The organization may be exposed to XSS attacks that could lead to data theft or takeover of administrator accounts, jeopardizing the security of the entire infrastructure.
Recommendation
It is recommended to update the Store Locator plugin to version 1.6.9 or later to eliminate this vulnerability and conduct a security audit to identify potential threats.
Original NVD description (English source)
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

