{"api_version":"1","generated_at":"2026-06-10T13:41:24+00:00","cve":"CVE-2026-9060","urls":{"html":"https://cve.report/CVE-2026-9060","api":"https://cve.report/api/cve/CVE-2026-9060.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9060","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9060"},"summary":{"title":"Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style","description":"The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).","state":"PUBLISHED","assigner":"WPScan","published_at":"2026-06-10 07:16:25","updated_at":"2026-06-10 11:17:04"},"problem_types":["CWE-79","CWE-79 Cross-Site Scripting (XSS)","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://wpscan.com/vulnerability/1ed01413-09a2-4a2e-be5b-375f2a327d0d/","name":"https://wpscan.com/vulnerability/1ed01413-09a2-4a2e-be5b-375f2a327d0d/","refsource":"contact@wpscan.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9060","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9060","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Unknown","product":"Store Locator WordPress","version":"affected 1.6.6 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"WPScan","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-9060","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-10T10:40:12.688194Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T10:40:36.056Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Store Locator WordPress","vendor":"Unknown","versions":[{"lessThan":"1.6.6","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"coordinator","value":"WPScan"}],"descriptions":[{"lang":"en","value":"The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page)."}],"problemTypes":[{"descriptions":[{"description":"CWE-79 Cross-Site Scripting (XSS)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T06:00:11.834Z","orgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","shortName":"WPScan"},"references":[{"tags":["exploit","vdb-entry","technical-description"],"url":"https://wpscan.com/vulnerability/1ed01413-09a2-4a2e-be5b-375f2a327d0d/"}],"source":{"discovery":"EXTERNAL"},"title":"Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style","x_generator":{"engine":"WPScan CVE Generator"}}},"cveMetadata":{"assignerOrgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","assignerShortName":"WPScan","cveId":"CVE-2026-9060","datePublished":"2026-06-10T06:00:11.834Z","dateReserved":"2026-05-20T07:36:52.264Z","dateUpdated":"2026-06-10T10:40:36.056Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-10 07:16:25","lastModifiedDate":"2026-06-10 11:17:04","problem_types":["CWE-79","CWE-79 Cross-Site Scripting (XSS)","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":0.9,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9060","Ordinal":"1","Title":"Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style","CVE":"CVE-2026-9060","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9060","Ordinal":"1","NoteData":"The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).","Type":"Description","Title":"Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style"}]}}}