CVE-2026-9060EPSS p3.9%

CVE-2026-9060CVE-2026-9060

Description

The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page).

Scoring

CVSS 3.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
EPSS0.14% probability of exploitation · percentile 3.9% · 2026-06-19T12:03:05Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9594
CVE
CVE-2026-2827
CVE
CVE-2026-5714
CVE
CVE-2025-1232
CVE
CVE-2026-10862
CVE
CVE-2026-8981
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.