CVE-2026-9061

Name of the Vulnerable Software and Affected Versions Store Locator WordPress plugin versions prior to 1.6.9

Description Insufficient sanitization and escaping of store logo metadata before it is stored and displayed on the admin page allows high-privileged users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks. This occurs even in environments where the unfiltered html capability is disabled, such as in multisite networks.

Recommendations Update the plugin to version 1.6.9 or later.