CVE-2026-9060: Store Locator WordPress Plugin Stored XSS – Admin Privilege Escalation Risk
The Store Locator WordPress plugin before version 1.6.6 contains a stored cross-site scripting (XSS) vulnerability in its admin settings. An administrator or similarly privileged user can inject malicious JavaScript into one of the plugin's settings, which is then executed when other high-privileged users (such as network super admins on multisite installations) visit the admin page. This bypasses WordPress's standard HTML filtering protections that normally prevent such attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9060 is a stored XSS vulnerability (CWE-79) in the Store Locator plugin affecting versions prior to 1.6.6. The vulnerability exists because one settings field is not properly sanitized on input or escaped on output. The attack surface is limited to high-privilege users; an administrator must first inject the payload, and then it executes in the context of another high-privilege user viewing that admin page. The CVSS 3.1 score of 3.5 (LOW) reflects the requirement for high privilege and user interaction, combined with limited impact scope (no availability impact, only confidentiality and integrity of that session).
Business impact
The practical risk is contained due to privilege requirements. However, in multisite WordPress networks, a site administrator could inject JavaScript that executes when the network super admin visits the Store Locator settings page. This could facilitate account compromise, token theft, or malicious plugin/theme installation at the network level. For single-site installations, the threat is primarily horizontal privilege abuse among administrators. Organizations relying on WordPress multisite or those with multiple administrators should prioritize patching to prevent potential lateral movement or privilege escalation chains.
Affected systems
Store Locator WordPress plugin versions before 1.6.6. The vulnerability does not affect WordPress core, hosting environments, or other plugins. Impact is specific to sites running this plugin. Multisite networks are at higher risk because payloads persist and can be triggered when super admins access the plugin's admin interface.
Exploitability
Exploitation requires high-privilege access (administrator role minimum). The attacker must manually inject JavaScript into the vulnerable settings field and save it. A second high-privileged user must then visit the Store Locator admin page for the payload to execute. This is not remotely exploitable by unauthenticated users and is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack relies on social engineering or insider threat rather than automated exploit distribution.
Remediation
Upgrade the Store Locator WordPress plugin to version 1.6.6 or later. Verify the update is available through the WordPress plugin repository or the vendor's official source. After patching, review admin audit logs (if available via security plugins) for any suspicious settings modifications made before the update. In multisite environments, super admins should check for any unexpected JavaScript in Store Locator settings that may have been injected by site-level administrators.
Patch guidance
Navigate to the WordPress admin dashboard, go to Plugins → Installed Plugins, locate Store Locator, and click Update if version 1.6.6 or later is available. Ensure you have a backup before updating. After the update completes, verify the plugin remains active and functioning. If using a staging environment, test the update there first. Automated plugin update management (via management plugins or hosting provider tools) is recommended to prevent similar issues in the future.
Detection guidance
Examine Store Locator plugin settings (via admin UI or database) for unusual JavaScript code in any settings fields—particularly those containing script tags, event handlers, or encoded payloads. Check WordPress admin audit logs (if available through security plugins like Wordfence or Sucuri) for unauthorized changes to Store Locator settings. On multisite installations, monitor for settings changes made by site admins and verify the timing against maintenance windows. Use a web application firewall (WAF) or security plugin to alert on XSS patterns in POST requests to the Store Locator settings endpoint.
Why prioritize this
Although the CVSS score is LOW (3.5), this vulnerability warrants prompt attention in multisite WordPress networks because it can be weaponized in a supply-chain-like manner—a compromised site admin injects a payload that later executes for the super admin, potentially leading to network-wide compromise. Single-site installations should also patch but can deprioritize slightly if all administrators are trusted. The lack of public exploitation (not in KEV) lowers immediate urgency, but the ease of injection and persistence of stored XSS justifies rapid patching.
Risk score, explained
The CVSS 3.1 score of 3.5 (LOW) is driven by: (1) high privileges required (PR:H), making opportunistic attacks unlikely; (2) requirement for user interaction (UI:R) from a second admin; (3) limited impact scope (S:U, no cross-boundary effects); and (4) no availability impact (A:N). However, contextual risk is higher in multisite environments. Organizations should assess their own admin trust model and network architecture before relying solely on the CVSS rating for prioritization.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated users or low-privilege accounts?
No. The vulnerability requires administrator-level access to inject the malicious payload into the Store Locator settings. It cannot be exploited remotely by anonymous users or by users with subscriber or contributor roles. In multisite networks, only site admins can inject; the payload then executes when a super admin visits the page.
Does updating the plugin require downtime or cause configuration loss?
No. Updating the Store Locator plugin from the WordPress admin interface is non-disruptive. Your plugin settings and store data are preserved. We recommend testing the update on a staging site first, especially for production environments, but downtime is not required.
How can a super admin on a multisite installation detect if a site admin has already injected malicious code?
Check the Store Locator plugin settings page directly and look for unexpected JavaScript in text fields. Enable and review audit logs from a security plugin. If the plugin was not in use before, any new settings should be flagged. Additionally, inspect database tables (if you have direct access) for serialized XSS payloads in the plugin's option keys.
Is this vulnerability actively being exploited in the wild?
No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has no public proof-of-concept. However, attackers who gain admin access through other means (credential theft, supply-chain compromise) may use it opportunistically to escalate or persist privileges in multisite networks.
This analysis is based on the published CVE description and CVSS vector. No exploit code or weaponized proof-of-concept has been developed or released. Verify patch availability and compatibility with your WordPress environment before deployment. This advisory does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their specific WordPress configurations, admin trust models, and multisite deployment status. SEC.co makes no warranty regarding the accuracy of vendor advisories or patch release timelines. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0