Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.
WordFence strongly recommends deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.
We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, you should also be using WordFence’s Web Application Firewall, which has rules in place to mitigate attacks.