How can plugin install without admin approval?

Yesterday a plugin was installed without my knowledge on my WP site at https://enlightenedschools.com I believe it was malicious and I un-installed it but I am now looking for information on how that could happen so I can be sure I’ve closed the barn door (so to speak).

Only myself and my partner are admins so there was no un-authorized user. I have been customizing the site’s registration process but I did not find any un-authorized users (definitely no unauthorized admins).

The unauthorized plugin is Simplelender – it appears to be relatively inactive now. But in the past, people have posted that it is difficult to un-install (when you try to uninstall from the WP dashboard you get an error that you first need to uninstall the premium plugin but there is no premium plugin). I removed it by deleting its files from the server.

I have been in touch with the company that sells the last plugin I installed but haven’t heard back yet. I don’t want to cause potential damage to their reputation at this point by naming them since I don’t know for certain where it came from. I have inspected the .zip file they provide for installation and it appears to be safe. But I’m not a security expert so I’m not sure what I should be looking for outside the obvious.

I have Googled on this issue a lot and couldn’t find any articles describing this issue, so any hints on what I should be looking for would be appreciated. I do have iThemesSecurity installed and there was no clues in their logs.