WP Store Locator < 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta | CVE 2026-3361 | Plugin Vulnerabilities

Description

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.

Affects Plugins

wp-store-locator

Fixed in 2.3.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

kai63001

Verified

No

WPVDB ID

bf797513-c160-44af-b1cc-349c84ffb6ca

Timeline

Publicly Published

2026-04-22 (about 21 days ago)

Added

2026-04-22 (about 21 days ago)

Last Updated

2026-04-23 (about 21 days ago)

Other

Published

Title

Published

2014-08-01

Title

Daisho - Unspecified XSS

Published

2024-11-08

Title

Location Click Map <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-24

Title

Gum Elementor Addon < 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-04-19

Title

WP Links Page < 4.9.4 - Contributor+ Stored XSS

Published

2024-12-13

Title

TCBD Popover <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting