Vulnerabilities and security researches forstore-locator store-locator

Jun 16, 2026

CVE, Research URL: 7ad9388b9ad67fc00ee00c6ecb4dba944397ad56
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: May 15, 2015
Research Description: Store Locator for WordPress with Google Maps – LotsOfLocales [store-locator] < 2.12 (closed) WordPress Store Locator Plugin <= 2.6.1 - Cross Site Request Forgery This plugin is prone to a cross site request forgery vulnerability. Update the plugin.
Affected versions: max 2.12.
Status: vulnerable

CVE, Research URL: 461cdcce-10c8-49e6-8a85-e7aead267554
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: -
Research Description: Store Locator for WordPress with Google Maps – LotsOfLocales [store-locator] < 2.12 (closed) Store Locator <= 2.6.1 - Cross-Site Request Forgery The store-locator WordPress plugin was affected by a Cross-Site Request Forgery security vulnerability.
Affected versions: max 2.12.
Status: vulnerable

CVE, Research URL: 2bee561a-8cf7-430b-9c72-2049d9776e34
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: -
Research Description: Store Locator for WordPress with Google Maps – LotsOfLocales [store-locator] < 3.34 (closed) WordPress Store Locator 3.33.1 - SQL Injection Using a combination of GET fields, it is possible to perform a SQL Injection attack using the ‘sl-xml.php’ script. This injection is performed on the LIMIT of the SQL query, however retrieving data via this vulnerability is very easy, due to the outputting of the resulting SQL error by the script, should the query fail. The vulnerable section of code can be found in the file ‘sl-xml.php’. The $_POST scope is being passed through the ‘extract’ function, after which certain variables are used when building the query, without being filtered. As the PoC shows, a couple of other fields are required to successfully exploit this vulnerability.
Affected versions: max 3.34.
Status: vulnerable

CVE, Research URL: 4fa71b8c7d29c3050b951adfff5bf47b58228f4e
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: Feb 09, 2015
Research Description: Store Locator for WordPress with Google Maps – LotsOfLocales [store-locator] < 3.34 (closed) Store Locator < 3.34 - SQL Injection The Store Locator Plugin for WordPress is vulnerable to blind SQL Injection via the sl_vars[num_initial_displayed] parameter in versions before 3.34 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 3.34.
Status: vulnerable

CVE, Research URL: f426f4bed17a59fb2e9150a529c7b250c2730586
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: May 15, 2015
Research Description: Store Locator for WordPress with Google Maps – LotsOfLocales [store-locator] < 3.34 (closed) WordPress Store Locator Plugin <= 3.33.1 - SQL Injection Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Update the plugin.
Affected versions: max 3.34.
Status: vulnerable

Jan 26, 2025

CVE, Research URL: CVE-2025-23422
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: Jan 24, 2025
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in moaluko Store Locator store-locator allows PHP Local File Inclusion.This issue affects Store Locator: from n/a through <= 3.98.10.
Affected versions: max 3.98.10.
Status: vulnerable

Dec 21, 2024

CVE, Research URL: CVE-2024-12571
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: Dec 20, 2024
Research Description: The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions: max 3.98.9.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2022-47446
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: May 24, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin <= 3.98.7 versions.
Affected versions: max 3.98.8.
Status: vulnerable

CVE, Research URL: CVE-2014-8621
Home page URL: Security reports for Store Locator for WordPress with Google Maps – LotsOfLocales
Application: Store Locator for WordPress with Google Maps – LotsOfLocales
Date: Oct 16, 2017
Research Description: SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
Affected versions: Min 2.3, max 3.11.
Status: vulnerable