Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.
WordFence strongly recommends deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.
In addition to the privilege escalation vulnerability, WordFence found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.
We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, you should also be using WordFence’s Web Application Firewall, which has rules in place to mitigate attacks.