These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9062 is a vulnerability in the Store Locator WordPress plugin before version 1.6.9. The plugin does not properly validate a parameter before using it in a file path, which allows high-privileged users, such as administrators, to read arbitrary `.php` files from the server. This includes configuration files that contain database credentials and authentication keys.
CVE-2026-9061 is a Stored Cross-Site Scripting (XSS) vulnerability in the Store Locator WordPress plugin before version 1.6.9. The plugin fails to properly sanitize and escape store logo metadata, which allows high-privileged users, such as administrators, to inject malicious scripts. This vulnerability can be exploited even when the `unfiltered_html` capability is disallowed, such as in a multisite network.