CVE-2026-9060 Overview
CVE-2026-9060 is a Stored Cross-Site Scripting (XSS) vulnerability in the Store Locator WordPress plugin before version 1.6.6. The plugin fails to sanitize and escape one of its settings before storing it and rendering it on the admin page. High-privileged users such as administrators can inject malicious JavaScript that executes when other administrators view the affected page. The flaw bypasses the unfiltered_html capability restriction, making it relevant in WordPress multisite networks where super admins visit the page. The vulnerability is tracked under CWE-79 and was published to the National Vulnerability Database (NVD) on June 10, 2026.
Critical Impact
Authenticated administrators can store malicious scripts that execute in the browser session of any user visiting the plugin's admin page, including multisite super admins.
Affected Products
- Store Locator WordPress plugin versions prior to 1.6.6
- WordPress single-site installations with the plugin enabled
- WordPress multisite networks with the plugin activated for super admin access
Discovery Timeline
- 2026-06-10 - CVE-2026-9060 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9060
Vulnerability Analysis
The Store Locator plugin exposes a settings field in its administration interface that accepts user-supplied input. The plugin writes this input directly to the database without sanitization. When the admin page renders the stored value, it outputs the content without proper escaping. An attacker with administrator privileges can supply JavaScript payloads that persist in the database and execute when any privileged user loads the settings page.
The issue is classified as CWE-79, Improper Neutralization of Input During Web Page Generation. The EPSS probability of exploitation is 0.027%, reflecting the high privilege requirement. However, the impact is meaningful in multisite contexts where the unfiltered_html capability is restricted to super admins. A regular site administrator on a subsite can plant a payload that fires in the super admin's browser session.
Root Cause
The root cause is missing input sanitization on write and missing output escaping on read. WordPress provides sanitize_text_field(), wp_kses(), and esc_attr() for these purposes, but the affected setting handler does not apply them. This allows raw HTML and <script> tags to flow from form input into rendered admin markup.
Attack Vector
Exploitation requires an authenticated administrator account and user interaction from a victim with access to the plugin's admin page. The attacker submits a malicious payload through the vulnerable setting. The payload persists until another administrator or super admin opens the admin page, at which point the script executes in that user's authenticated session. The attacker can then perform actions on behalf of the victim, including session token theft, CSRF token harvesting, or plugin and theme installation.
No verified proof-of-concept code is available. Refer to the WPScan Vulnerability Report for technical details.
Detection Methods for CVE-2026-9060
Indicators of Compromise
- Unexpected <script>, <svg>, or event-handler attributes (onerror, onload) stored in Store Locator plugin settings within the wp_options table
- Outbound HTTP requests from administrator browser sessions to unfamiliar domains shortly after visiting the plugin admin page
- New unexpected administrator accounts or plugin installations following admin page visits
Detection Strategies
- Query the WordPress wp_options table for Store Locator plugin option keys and inspect values for HTML or JavaScript content
- Review web server access logs for POST requests to admin.php?page= endpoints associated with the Store Locator plugin
- Enable a Content Security Policy (CSP) in report-only mode on the WordPress admin to surface inline script execution attempts
Monitoring Recommendations
- Track plugin version inventory across WordPress fleets and alert on installations of Store Locator below version 1.6.6
- Monitor administrator session activity for anomalous API calls originating from the admin dashboard
- Audit changes to wp_options and wp_usermeta tables made by accounts that recently accessed the Store Locator settings page
How to Mitigate CVE-2026-9060
Immediate Actions Required
- Upgrade the Store Locator WordPress plugin to version 1.6.6 or later on all affected sites
- Audit existing Store Locator plugin settings for stored HTML or JavaScript content and remove any unexpected values
- Review administrator account inventory and revoke privileges for accounts that are no longer required
Patch Information
The vendor has released version 1.6.6 of the Store Locator plugin, which addresses the missing sanitization and escaping. Site operators should apply the update through the WordPress plugin manager or WP-CLI. See the WPScan Vulnerability Report for advisory details.
Workarounds
- Deactivate the Store Locator plugin until the patched version can be installed
- Restrict administrator role assignment on multisite networks and avoid granting site admin to untrusted users
- Apply a Content Security Policy that blocks inline scripts in the WordPress admin to limit payload execution
# Update the Store Locator plugin using WP-CLI
wp plugin update store-locator --version=1.6.6
# Verify the installed version across a multisite network
wp site list --field=url | xargs -I {} wp --url={} plugin get store-locator --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
