CVE-2026-3361: WP Store Locator Plugin XSS Vulnerability

CVE-2026-3361 Overview

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the wpsl_address post meta value in versions up to and including 2.2.261. This vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. The malicious scripts execute whenever a user accesses an injected page and opens an injected map marker info window.

Critical Impact

Authenticated attackers can persistently inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further compromise of WordPress administrative accounts.

Affected Products

• WP Store Locator plugin for WordPress versions up to and including 2.2.261
• WordPress installations using vulnerable WP Store Locator plugin versions

Discovery Timeline

• April 23, 2026 - CVE-2026-3361 published to NVD
• April 23, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3361

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability (CWE-79) affects the WP Store Locator WordPress plugin through improper handling of the wpsl_address post meta value. The plugin fails to adequately sanitize user-supplied input and escape output when rendering map marker information windows. This architectural weakness allows attackers with contributor-level privileges to embed malicious JavaScript payloads that persist in the database and execute when other users interact with the affected map markers.

The attack requires authentication with at least contributor-level access, which limits the initial attack surface but still poses significant risk in multi-user WordPress environments where content contributors may be less trusted than administrators.

Root Cause

The root cause of this vulnerability is insufficient input sanitization and output escaping in the plugin's handling of the wpsl_address post meta field. When store location data is saved and subsequently rendered in map marker info windows, the plugin does not properly sanitize the address input or escape the output, allowing HTML and JavaScript to be injected and executed in the browser context of users viewing the map.

Attack Vector

The attack is network-based and requires the attacker to have authenticated access with contributor-level permissions or higher. The attacker crafts a malicious store location entry with JavaScript embedded in the address field. When this data is saved as post meta and later rendered in a map marker info window, the script executes in the victim's browser without their interaction beyond opening the info window. The changed scope means the vulnerability can impact resources beyond the vulnerable component, affecting other users' sessions and potentially the broader WordPress installation.

The vulnerability can be exploited by submitting a crafted wpsl_address value containing JavaScript payloads such as event handlers or script tags. When the map marker info window is opened by any user, the unsanitized content is rendered, causing the injected script to execute in the victim's browser context.

Detection Methods for CVE-2026-3361

Indicators of Compromise

• Unusual or suspicious JavaScript content in wpsl_address post meta values in the WordPress database
• Unexpected script tags, event handlers, or encoded JavaScript in store location address fields
• User reports of unexpected browser behavior when viewing store locator maps
• Suspicious contributor-level user activity creating or modifying store locations

Detection Strategies

• Monitor WordPress post meta tables for wpsl_address entries containing HTML tags, script elements, or JavaScript event handlers
• Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions to the WP Store Locator plugin
• Review WordPress audit logs for unusual store location creation or modification activity by contributor-level users
• Scan existing database entries for potential stored XSS payloads using WordPress security scanning plugins

Monitoring Recommendations

• Enable detailed logging for WordPress user actions, particularly for content creation and modification by non-administrator users
• Configure alerts for database modifications to post meta tables associated with the WP Store Locator plugin
• Implement Content Security Policy (CSP) headers to mitigate the impact of any successful XSS exploitation
• Regular security audits of stored content in the WP Store Locator plugin tables

How to Mitigate CVE-2026-3361

Immediate Actions Required

• Update the WP Store Locator plugin to the latest patched version immediately
• Audit existing store location entries for malicious content in the wpsl_address field
• Review and restrict contributor-level access to only trusted users
• Implement Content Security Policy headers to reduce the impact of potential XSS attacks

Patch Information

A patch has been released to address this vulnerability. The fix is available in the WordPress Plugin Change Log. Site administrators should update to the latest version of WP Store Locator that includes proper input sanitization and output escaping for the wpsl_address post meta value. Additional technical details are available in the Wordfence Vulnerability Report.

Workarounds

• Temporarily disable the WP Store Locator plugin until the patch can be applied
• Restrict contributor-level access and above to only highly trusted users
• Implement server-side input validation for all store location form submissions
• Use a Web Application Firewall (WAF) to filter potential XSS payloads in incoming requests
• Manually sanitize existing wpsl_address entries in the database to remove any potentially malicious content

# WordPress CLI command to update the plugin
wp plugin update wp-store-locator

# Verify the current plugin version
wp plugin get wp-store-locator --field=version