A stored cross-site scripting vulnerability affects WP Store Locator. This WordPress plugin helps businesses display store locations. CVE-2026-3361 has a CVSS score of 6.4 (Medium severity). The flaw allows attackers to inject malicious scripts into store listings.
CVE-2026-3361: About WP Store Locator
WP Store Locator lets site owners add interactive maps. Visitors can find nearby stores and branches. The plugin handles location data and user submissions. Many businesses rely on it for their store finder features.
CVE-2026-3361: The Vulnerability Explained
CVE-2026-3361 involves stored XSS in the location submission system. The plugin does not sanitize input data properly. Attackers can inject JavaScript code into store entries. This code runs when anyone views the affected location page.
The vulnerability affects versions up to 2.2.6 of WP Store Locator. User-submitted fields lack proper escaping. The plugin stores the malicious code in the database. It executes every time the page loads.
Potential Damage
Stored XSS can cause significant harm to your site. Attackers can steal visitor session cookies. They can redirect users to phishing pages. The injected scripts can also modify page content in real time.
The CVSS 6.4 score reflects the medium risk level. However, stored XSS is harder to detect than reflected XSS. The malicious code stays in the database permanently. You must clean it manually to remove the threat.
Who Is at Risk
Any WordPress site running WP Store Locator version 2.2.6 or older faces risk. Sites allowing user submissions face higher danger. Attackers can register accounts and inject malicious code. They do not need admin access to exploit this flaw.
Remediation Steps
Update WP Store Locator to version 2.2.7 or newer. The fix adds proper input sanitization and output escaping. Review your store listings for suspicious content. Remove any entries that contain unexpected code.
Limit who can submit store locations on your site. Add CAPTCHA to submission forms. Review new submissions before publishing them. These steps reduce your exposure to XSS attacks.
Final Thoughts
CVE-2026-3361 reminds us that XSS risks are everywhere. Even specialized plugins can have security gaps. WP Store Locator developers addressed the issue quickly. Update your plugin today to stay protected.
TrustIWP recommends regular security audits for your WordPress site. Keep all plugins current. Subscribe to our advisories for the latest CVE alerts. Stay safe and keep your store finder secure.
The WP Store Locator plugin is available on wordpress.org/plugins/wp-store-locator/.
WP Store Locator is a WordPress plugin that lets you display store locations on an interactive map. Businesses with physical locations use it to show address, hours, and directions. It stores location data, coordinates, and custom fields in the WordPress database.
The plugin supports custom markers, categories, and search filters. Visitors use the store locator to find nearby branches. A stored XSS vulnerability means an attacker can inject scripts that execute when store managers or visitors view location pages.
CVE-2026-3361 is a stored Cross-Site Scripting vulnerability. The plugin does not properly sanitize location data before storing it in the database. An attacker with contributor-level access can inject malicious JavaScript into store location fields.
The CVSS score is 6.4 (Medium). The injected scripts execute in the admin panel and on the frontend map pages. An attacker can steal session cookies, redirect store visitors, or inject phishing forms.