{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3361", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T19:42:11.662Z", "datePublished": "2026-04-23T03:26:36.668Z", "dateUpdated": "2026-04-23T14:00:30.776Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-23T03:26:36.668Z"}, "affected": [{"vendor": "tijmensmit", "product": "WP Store Locator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.261", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window."}], "title": "WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "timeline": [{"time": "2026-04-22T14:42:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:00:19.560782Z", "id": "CVE-2026-3361", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:00:30.776Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3361", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T19:42:11.662Z", "datePublished": "2026-04-23T03:26:36.668Z", "dateUpdated": "2026-04-23T14:00:30.776Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-23T03:26:36.668Z"}, "affected": [{"vendor": "tijmensmit", "product": "WP Store Locator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.261", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window."}], "title": "WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "timeline": [{"time": "2026-04-22T14:42:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3361", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:00:19.560782Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:00:26.884Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window."}], "id": "CVE-2026-3361", "lastModified": "2026-04-23T14:28:55.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-23T04:16:18.807", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.261]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Store Locator", "source": "cna", "vendor": "tijmensmit"}, "product": "wp_store_locator", "vendor": "tijmensmit"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T14:59:48.977556+00:00", "value": {"mitigation_remediation": ["Upgrade WP Store Locator to the latest version (currently 2.2.262 or later).", "If a patch is not immediately available, remove the wpsl_address field from posts or replace its value with a sanitized version, ensuring no script tags or event handlers are present.", "Revoke or reduce contributor roles on the WordPress site, limiting who can modify store entries until the issue is resolved."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting via the wpsl_address post meta field"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP Store Locator plugin version 2.2.261 or earlier are affected. The plugin is developed by tijmensmit and the vulnerable code resides in the wpsl_address post meta handler.", "description_and_impact": "The WP Store Locator plugin contains a stored cross\u2011site scripting vulnerability that allows authenticated users with contributor\u2011level access or higher to insert arbitrary JavaScript into the wpsl_address post meta field. The injected script is rendered when a user views a page containing the affected store entry or opens a map marker info window, providing the attacker with the ability to deface content, hijack sessions, or delivery malware to end users.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1%, so exploitation is considered unlikely but not impossible. It is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges and must be able to create or edit store entries; once the malicious content is stored, any visitor who loads the affected page or map marker will execute the injected script."}}}}, "created": "2026-04-28T09:26:23.873086+00:00", "updated": "2026-04-28T15:00:14.545800+00:00", "vendors": ["tijmensmit", "tijmensmit$PRODUCT$wp_store_locator", "wordpress", "wordpress$PRODUCT$wordpress"]}