CVE-2026-9061

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

13/06/2026

Last modified:

13/06/2026

Description

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Impact

References to Advisories, Solutions, and Tools

https://wpscan.com/vulnerability/a9f8656a-548a-4353-b157-d07f23c3bc26/