Severe Vulnerabilities discovered in Store Locator Plus WordPress Plugin

The Wordfence Threat Intelligence team just released an announcement about vulnerabilities found in Store Locator Plus, a plugin that has been activated on 9,000+ websites.

On March 5, 2021, the Wordfence Threat Intelligence team completed an investigation that resulted in the detection of a privilege escalation vulnerability in Store Locator Plus, as well as several other vulnerabilities.

These flaws remain unpatched, and the plugin is no longer available for download.

On March 5, 2021, the Wordfence team contacted the plugin’s creator for the first time. They waited a week for an answer before attempting to contact them again. The team escalated the problem to the WordPress Plugins team on March 25, 2021, after receiving no answer for 20 days.

However, on April 5, 2021, the developer released a patch, but it was insufficient, resulting in the plugin’s closure on April 12, 2021.



Store Locator Plus is a WordPress plugin that makes it very easy to add a store locator to your blog. Unfortunately, the plugin had a flaw that allowed authenticated users to update their user metadata and become administrators on any site that used the plugin. As a result, attackers could be able to gain administrator access to a site and take it over completely.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.