The Wordfence Threat Intelligence team just released an announcement about vulnerabilities found in Store Locator Plus, a plugin that has been activated on 9,000+ websites.
On March 5, 2021, the Wordfence Threat Intelligence team completed an investigation that resulted in the detection of a privilege escalation vulnerability in Store Locator Plus, as well as several other vulnerabilities.
These flaws remain unpatched, and the plugin is no longer available for download.
On March 5, 2021, the Wordfence team contacted the plugin’s creator for the first time. They waited a week for an answer before attempting to contact them again. The team escalated the problem to the WordPress Plugins team on March 25, 2021, after receiving no answer for 20 days.
However, on April 5, 2021, the developer released a patch, but it was insufficient, resulting in the plugin’s closure on April 12, 2021.
Moments ago, the Wordfence Threat Intelligence team published advisement of vulnerabilities discovered in Store Locator Plus, a plugin installed on over 9,000 sites. These vulnerabilities remain unpatched and the plugin has been closed for new downloads. https://t.co/6EHoEEv10l— Wordfence (@wordfence) April 26, 2021
Store Locator Plus is a WordPress plugin that makes it very easy to add a store locator to your blog. Unfortunately, the plugin had a flaw that allowed authenticated users to update their user metadata and become administrators on any site that used the plugin. As a result, attackers could be able to gain administrator access to a site and take it over completely.