CVE-2021-24289
HIGHStore Locator Plus for WordPress <= 5.5.14 - Authenticated Privilege Escalation to Administrator
Title source: llmDescription
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62
Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/
Scores
CVSS v3
8.8
EPSS
0.0115
EPSS Percentile
62.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
de-baat/store_locator_plus
< 5.5.14
Published
May 17, 2021
Tracked Since
Feb 18, 2026