CVE-2021-24289: 
WordPress vulnerability analysis and mitigation

CVE-2021-24289 is a critical vulnerability discovered in the WordPress Store Locator Plus plugin versions below 5.9. The vulnerability was publicly disclosed on April 26, 2021, and affects the plugin's user meta data update functionality. This security flaw enables authenticated users to elevate their privileges to administrator level on any site using the affected plugin versions (WPScan, Wordfence).

The vulnerability has been assigned a CVSS score of 9.9 (Critical), indicating its severe nature. The issue stems from improper access controls in the plugin's functionality that handles user meta data updates. While CSRF protection was later added to block low-level users from accessing the endpoint, the vulnerability remained partially unpatched as no proper capability checks were implemented. The vulnerability is classified as CWE-269 and falls under the OWASP Top 10 category of Broken Authentication and Session Management (WPScan).

The vulnerability allows authenticated users to modify their user meta data to gain administrator privileges on any WordPress site running the affected plugin versions. This privilege escalation capability potentially enables complete control over the affected WordPress installations (Wordfence).

The vulnerability was partially addressed in version 5.9 of the Store Locator Plus plugin. While CSRF protection was added to block low-level users from accessing the vulnerable endpoint, the core issue of missing capability checks remained unresolved. Site administrators are advised to update to version 5.9 or later, though it's worth noting that the plugin was ultimately closed due to these security concerns (Wordfence).