CVE-2026-9060

Published Jun 10, 2026

Last updated 4 days ago

CVSS low 3.5

Overview

Description
The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).
Source
contact@wpscan.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.5
Impact score
2.5
Exploitability score
0.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Severity
LOW

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨*CVE* CVE-2026-9060 The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plug… https://t.co/KEFPj72yJG ----- Traducción: CVE-2026-9060 El … https://t.co/utmtNg

    @infoflowcloud

    10 Jun 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.