📄 Description (English)
The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.
🤖 AI Executive Summary
CVE-2026-3361 is a Stored Cross-Site Scripting (XSS) vulnerability in WP Store Locator plugin affecting WordPress installations up to version 2.2.261. Authenticated contributors can inject malicious scripts via the 'wpsl_address' field that execute when users view map markers. While currently unpatched, the attack requires contributor-level access, limiting immediate risk but posing significant threats to multi-user WordPress deployments common in Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 16, 2026 12:36
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WP Store Locator for business directories, real estate platforms, and retail location services face elevated risk. Most vulnerable sectors include: E-commerce and retail businesses, Real estate and property management companies, Tourism and hospitality sector, Government agencies using WordPress for public information portals, Healthcare facilities with location-based services. The impact is amplified in organizations with multiple content contributors where insider threats or compromised contributor accounts could inject malicious scripts affecting customer-facing pages and damaging organizational reputation.
🏢 Affected Saudi Sectors
E-commerce & Retail
Real Estate & Property Management
Tourism & Hospitality
Government & Public Administration
Healthcare
Financial Services
Education
🎯 MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application (WordPress plugin vulnerability)
T1598 — Phishing (XSS can be used for credential harvesting)
T1566 — Phishing (malicious scripts in map markers)
T1539 — Steal Web Session Cookie (XSS can capture session tokens)
T1056 — Keylogging (XSS can inject keyloggers)
T1040 — Network Sniffing (XSS can exfiltrate data)
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using WP Store Locator plugin — identify version numbers and deployment scope
2. Review contributor access logs for suspicious 'wpsl_address' modifications in the past 90 days
3. Implement strict access controls: restrict contributor role to trusted personnel only; consider demoting unnecessary contributors
4. Enable WordPress security logging and monitor for XSS-related alerts
COMPENSATING CONTROLS (until patch available):
5. Disable WP Store Locator plugin if not actively used; if required, restrict access to administrator-only
6. Implement Web Application Firewall (WAF) rules to detect/block XSS payloads in 'wpsl_address' parameters
7. Apply Content Security Policy (CSP) headers to prevent inline script execution
8. Use WordPress security plugins (Wordfence, Sucuri) with XSS detection capabilities
9. Sanitize database: search for suspicious scripts in wp_postmeta table where meta_key='wpsl_address'
DETECTION RULES:
10. Monitor for POST requests containing script tags, event handlers (onclick, onerror), or encoded payloads in wpsl_address parameters
11. Alert on contributor role modifications or privilege escalations
12. Track changes to wp_postmeta entries with meta_key='wpsl_address' for unusual patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون WP Store Locator — تحديد أرقام الإصدارات ونطاق النشر
2. مراجعة سجلات وصول المساهمين للتعديلات المريبة على 'wpsl_address' في آخر 90 يوماً
3. تنفيذ ضوابط وصول صارمة: تقييد دور المساهم للموظفين الموثوقين فقط؛ النظر في خفض المساهمين غير الضروريين
4. تفعيل تسجيل أمان WordPress ومراقبة التنبيهات المتعلقة بـ XSS
الضوابط البديلة (حتى توفر التصحيح):
5. تعطيل مكون WP Store Locator إذا لم يكن قيد الاستخدام النشط؛ إذا لزم الأمر، قصر الوصول على المسؤولين فقط
6. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في معاملات 'wpsl_address'
7. تطبيق رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
8. استخدام مكونات أمان WordPress (Wordfence, Sucuri) مع قدرات الكشف عن XSS
9. تطهير قاعدة البيانات: البحث عن برامج نصية مريبة في جدول wp_postmeta حيث meta_key='wpsl_address'
قواعد الكشف:
10. مراقبة طلبات POST التي تحتوي على علامات البرامج النصية أو معالجات الأحداث أو الحمولات المشفرة في معاملات wpsl_address
11. التنبيه على تعديلات دور المساهم أو تصعيد الامتيازات
12. تتبع التغييرات على إدخالات wp_postmeta مع meta_key='wpsl_address' للأنماط غير العادية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 — Information security policies and procedures (access control for contributor roles)
A.6.1.2 — User access management (authentication and authorization controls)
A.7.1.1 — Physical and environmental security (logical access controls)
A.8.2.1 — User endpoint devices (secure configuration of WordPress plugins)
A.8.3.1 — Information and other assets (protection of web application integrity)
🔵 SAMA CSF
Governance & Risk Management — vulnerability management and patch management processes
Information & Cybersecurity — application security controls and input validation
Resilience & Recovery — incident response for XSS-based attacks
🟡 ISO 27001:2022
A.5.1.1 — Policies for information security
A.6.1.2 — User registration and access rights management
A.8.2.1 — User endpoint devices
A.8.3.1 — Information and other assets
A.14.2.1 — Secure development policy
A.14.2.5 — Secure development environment
🟣 PCI DSS v4.0.1
Requirement 6.5.1 — Injection flaws (XSS is a form of injection attack)
Requirement 6.5.7 — Cross-site scripting (XSS)
Requirement 7.1 — Limit access to system components by business need-to-know