Ghostwire
Home / Vulnerabilities / CVE-2026-3361

CVE-2026-3361: The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta...

MEDIUM CVSS 6.4 Exploit Available

Published: April 23, 2026 | Last Modified: April 23, 2026

Description

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (15 articles)

CVE Feed
CVE-2026-3361 - WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta
 CVE Feed
CVE-2026-33611 - Insufficient validation of HTTPS and SVCB records
 Tenable CVEs
CVE-2026-33611
 Tenable CVEs
CVE-2026-33610
 CVE Feed
CVE-2026-33610 - Possible file descriptor exhaustion in forward-dnsupdate
 CVE Feed
CVE-2026-33618 - Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
 Tenable CVEs
CVE-2026-33618
 Tenable CVEs
CVE-2026-33617
 Tenable CVEs
CVE-2026-33616
 CVE Feed
CVE-2026-33617 - MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint
 Tenable CVEs
CVE-2026-33615
 Tenable CVEs
CVE-2026-33614
 Tenable CVEs
CVE-2026-33613
 Tenable CVEs
CVE-2026-33619
 CVE Feed
CVE-2026-33619 - PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

References