Description
WordPress Plugin Store Locator Plus for WordPress is prone to multiple vulnerabilities including an information disclosure vulnerability and a SQL injection vulnerability. Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Store Locator Plus for WordPress versions from 2.7.1 to 3.0.1 are vulnerable; prior versions may also be affected.
Remediation
Restrict access to the wp-content/plugins/store-locator-le/core/load_wp_config.php file (e.g. via .htaccess) and edit the source code to ensure that input is properly sanitised
References
Related Vulnerabilities
WordPress Plugin WP Glossary 'ajax.php' SQL Injection (0.1)
WordPress Plugin Judge.me Product Reviews for WooCommerce Cross-Site Scripting (1.3.20)
Squid Improper Input Validation Vulnerability (CVE-2016-2569)
WordPress Plugin Gravity Forms FreshDesk Cross-Site Scripting (1.2.8)
WordPress Improper Restriction of XML External Entity Reference Vulnerability (CVE-2021-29447)