PatchSiren cyber security CVE debrief
CVE-2026-9061 Store Locator CVE debrief
CVE-2026-9061 is a Stored Cross-Site Scripting (XSS) vulnerability in the Store Locator WordPress plugin before version 1.6.9. The plugin fails to properly sanitize and escape store logo metadata, which allows high-privileged users, such as administrators, to inject malicious scripts. This vulnerability can be exploited even when the `unfiltered_html` capability is disallowed, such as in a multisite network.
- Vendor
- Store Locator
- Product
- Store Locator WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-13
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-13
- Advisory updated
- 2026-06-13
Who should care
Users of the Store Locator WordPress plugin, particularly those with high privileges (e.g., administrators), should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the admin page. This allows high-privileged users to perform Stored Cross-Site Scripting attacks.
Defensive priority
High
Recommended defensive actions
- Update the Store Locator WordPress plugin to version 1.6.9 or later.
- Limit access to the plugin's admin page to only trusted users.
- Monitor for suspicious activity on the plugin's admin page.
Evidence notes
The CVE record was obtained from the official CVE.org website [resourceLinkAnnotations:cve-org]. Additional information was obtained from the NVD detail page [resourceLinkAnnotations:nvd] and a source reference [resourceLinkAnnotations:ref-4].
Official resources
-
CVE-2026-9061 CVE record
CVE.org
-
CVE-2026-9061 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9061 was published on 2026-06-13T07:16:14.370Z and has not been modified since then.