Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites.

We initially reached out to the plugin’s developer on March 5, 2021. We received no response for a week before we attempted to make contact again. After receiving no response for 20 days, and after two contact attempts, we escalated the issue to the WordPress Plugins team on March 25, 2021, providing the full details of the vulnerability at the time of reporting.

The WordPress Plugins team responded to us the same day informing us that they would notify the plugin’s developer of our findings. The developer released a patch on April 5, 2021, but the patch was insufficient, leading to the closure of the plugin on April 12, 2021.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on March 5, 2021, while those still using the free version of Wordfence received the same protection on April 4, 2021. Regardless, we strongly recommend deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.

Description: Authenticated Privilege Escalation
Affected Plugin: Store Locator Plus
Plugin Slug: store-locator-le
Affected Versions: <= 5.5.14
CVE ID: CVE-2021-24289
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: Partially patched in version 5.5.15.

Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.

This vulnerability was partially patched in version 5.5.15. However, our analysis indicates that it is not sufficient and, therefore, should be treated as an unpatched vulnerability.

Description: Unauthenticated Stored Cross-Site Scripting
Affected Plugin: Store Locator Plus
Plugin Slug: store-locator-le
Affected Versions: <= 5.5.15
CVE ID: CVE-2021-24290
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: CURRENTLY UNPATCHED.

In addition to the privilege escalation vulnerability, we found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.

How can I protect my site?

We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement store locator solution.

We are intentionally providing minimal details about these vulnerabilities to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.

Did you enjoy this post? Share it!

Comments

2 Comments
  • Any new regarding a patch or update for Store Locator Plus? Nobody is saying anything. Please let us know.
    Thanks

    • Hi Daniel,

      Unfortunately, as of right now there is no available patch that we are aware of. I recommend looking into possible alternatives and you can rest assured knowing that Wordfence is keeping your site protected in the meantime.