Jay Nguyen

**Name of the Vulnerable Software and Affected Versions** The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress version 3.98.9 **Description** The issue is a Local File Inclusion vulnerability that allows unauthenticated attackers to include and execute arbitrary files on the server via the `sl engine` parameter. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. **Recommendations** For version 3.98.9, consider disabling the `sl engine` parameter until a patch is available to prevent exploitation. Restrict access to sensitive files and directories to minimize the risk of arbitrary file inclusion. Avoid using the `sl engine` parameter in API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.