[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3m_xyZdXTrWuesyavhaPtOAXvfKJ4ya5cUmsME0bJ7w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-9060","store-locator-wordpress-authenticated-administrator-stored-cross-site-scripting","Store Locator WordPress \u003C 1.6.6 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Store Locator WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","agile-store-locator",null,"\u003C1.6.6","1.6.6","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-11 00:00:00","2026-06-15 19:21:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4360a04c-4e94-41a3-9553-aeb67e9682e0?source=api-prod",5,[22,23,24,25,26],"admin\u002Fpartials\u002Fuser_setting.php","agile-store-locator.php","includes\u002Fadmin\u002Fsetting.php","includes\u002Ffrontend\u002Fapp.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-9060\n\n## 1. Vulnerability Summary\nThe **Store Locator WordPress (agile-store-locator)** plugin is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)** in versions up to 1.6.6. The vulnerability exists in the `save_setting` method within `includes\u002Fadmin\u002Fsetting.php`, which handles the saving of plugin configurations. \n\nUser input from `$_POST['data']` and `$_POST['map_style']` is processed using `stripslashes_deep` or `stripslashes` but is not passed through WordPress sanitization functions (like `sanitize_text_field` or `wp_kses`). These values are stored directly in the database (`asl_configs` table and `asl_settings` table). When these settings are later retrieved and rendered on the frontend (via `wp_localize_script` or direct output in templates), the injected scripts execute.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `asl_save_setting` (Inferred from the method name `save_setting` in `Setting` class)\n*   **Vulnerable Parameters:** \n    *   `map_style`: Stored and rendered as part of the Google Maps initialization.\n    *   `data[api_key]`: Stored and rendered in admin and frontend contexts.\n    *   `slug_attr_ddl`: Processed via `Helper::set_setting`.\n*   **Authentication Level:** Administrator (or users with the `administrator` capability as defined by the `ASL_PERMISSION` constant).\n*   **Preconditions:** \n    *   The attacker must have Administrator-level access.\n    *   The vulnerability is particularly relevant in **Multisite** environments or environments where `unfiltered_html` has been disabled for Administrators.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated administrator sends a POST request to `admin-ajax.php` with the action `asl_save_setting`.\n2.  **Processing:** The request is routed to `AgileStoreLocator\\Admin\\Setting::save_setting()`.\n3.  **Sink (Input):**\n    *   In `includes\u002Fadmin\u002Fsetting.php`, the function retrieves `$_POST['data']` and `$_POST['map_style']`.\n    *   It uses `stripslashes_deep($_POST['data'])` and `stripslashes($_POST['map_style'])`.\n    *   It performs a loop: `foreach ($keys as $key) { $wpdb->update(ASL_PREFIX . 'configs', ['value' => $data_[$key]], ['key' => $key]); }`.\n    *   It calls `\\AgileStoreLocator\\Helper::set_setting(...)` for `map_style`.\n4.  **Storage:** The unsanitized payload is stored in the `wp_asl_configs` table (or similar prefix).\n5.  **Output (Frontend):** \n    *   `includes\u002Ffrontend\u002Fapp.php` calls `get_public_config()`, which executes `SELECT * FROM ... ASL_PREFIX configs`.\n    *   The configuration is passed to the frontend via `wp_localize_script` under the object name `asl_configs`.\n    *   Alternatively, `map_style` may be rendered raw within a `\u003Cscript>` block to initialize the map.\n\n## 4. Nonce Acquisition Strategy\nThe plugin uses the `asl_admin_conf` JavaScript object to store configuration data and nonces in the admin interface.\n\n1.  **Navigate:** Move the browser to the Store Locator settings page: `\u002Fwp-admin\u002Fadmin.php?page=asl-settings`.\n2.  **Extract:** Use `browser_eval` to retrieve the nonce from the localized script:\n    ```javascript\n    window.asl_admin_conf?.asl_nonce\n    ```\n3.  **Action String:** The nonce is likely generated with the action `asl_nonce` or similar, used to authorize the `asl_save_setting` AJAX call.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Nonce Extraction\n*   Authenticate as an Administrator.\n*   Navigate to `\u002Fwp-admin\u002Fadmin.php?page=asl-settings`.\n*   Execute `browser_eval(\"asl_admin_conf.asl_nonce\")` to get the nonce.\n\n### Step 2: Inject Stored XSS Payload\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload (injecting into `map_style`):**\n    ```\n    action=asl_save_setting\n    &asl_nonce=[EXTRACTED_NONCE]\n    &map_style=[]});alert(document.domain);\u002F\u002F\n    &data[api_key]=AIzaSy... (a valid-looking key)\n    &data[default_lat]=0\n    &data[default_lng]=0\n    ```\n    *Note: The `map_style` is often injected into a JS object. The `]});` part of the payload is designed to break out of the JSON\u002FArray structure in the resulting frontend script.*\n\n### Step 3: Trigger Execution\n*   Create or view a page containing the shortcode `[ASL_STORELOCATOR]`.\n*   The script will execute when the Google Map attempts to load the custom style.\n\n## 6. Test Data Setup\n1.  Install and activate **Agile Store Locator** version 1.6.5.\n2.  Create a WordPress Page with the following content:\n    ```text\n    [ASL_STORELOCATOR]\n    ```\n3.  Ensure the user used for the exploit has the `administrator` role.\n4.  (Optional) If testing for the `unfiltered_html` bypass specifically, define `define( 'DISALLOW_UNFILTERED_HTML', true );` in `wp-config.php`.\n\n## 7. Expected Results\n*   The `admin-ajax.php` response should return `{\"success\":true,\"msg\":\"Setting has been updated successfully.\"}`.\n*   When visiting the page with the `[ASL_STORELOCATOR]` shortcode, a JavaScript `alert(document.domain)` (or similar payload) should trigger.\n*   Checking the database will show the payload in the `value` column of the `asl_configs` table where `key = 'map_style'`.\n\n## 8. Verification Steps\n1.  **Verify Storage via WP-CLI:**\n    ```bash\n    wp db query \"SELECT value FROM wp_asl_configs WHERE \\`key\\` = 'map_style';\"\n    ```\n    Check if the output contains the raw `\u003Cscript>` or breakout payload.\n2.  **Verify Frontend Render:**\n    Use `http_request` to fetch the frontend page and grep for the payload:\n    ```bash\n    # Search for the breakout in the localized JS\n    grep \"alert(document.domain)\" \n    ```\n\n## 9. Alternative Approaches\nIf `map_style` is not rendered directly, target `data[api_key]`:\n*   Inject `\u003Cimg src=x onerror=alert(1)>` into `data[api_key]`.\n*   Check the Admin Settings page itself (`\u002Fwp-admin\u002Fadmin.php?page=asl-settings`). If the `api_key` input field value is rendered as `\u003Cinput value=\"\u003Cimg src=x onerror=alert(1)>\" ...>`, the XSS will trigger in the admin context when the administrator revisits the settings page.","gemini-3-flash-preview","2026-06-26 01:14:18","2026-06-26 01:15:10",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","1.6.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fagile-store-locator\u002Ftags\u002F1.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fagile-store-locator.1.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fagile-store-locator\u002Ftags\u002F1.6.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fagile-store-locator.1.6.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fagile-store-locator\u002Ftags"]