WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

Overview

Security researchers and defenders have confirmed active exploitation of a critical vulnerability in the WP Maps Pro WordPress plugin, allowing attackers to create rogue administrator accounts on affected WordPress installations without any authentication. The exploitation is ongoing, putting an unknown number of WordPress sites at risk of full compromise.

The vulnerability requires no authentication and no user interaction — attackers need only be able to send an HTTP request to a targeted site running the vulnerable plugin version.

The Vulnerability

The flaw exists in the WP Maps Pro plugin, a premium WordPress plugin used to embed interactive maps on websites. The vulnerability allows an unauthenticated attacker to trigger an administrative user creation function exposed by the plugin, bypassing WordPress's native user registration controls.

Key characteristics:

No authentication required — exploitable by any external attacker
No user interaction — victim does not need to click anything
Full administrator creation — attacker receives WordPress admin privileges
Remote exploitation — exploitable over the network with a simple HTTP request

Attack Flow

1. Attacker identifies a WordPress site running vulnerable WP Maps Pro
2. Sends a specially crafted unauthenticated HTTP request
3. Plugin processes the request and creates a new WordPress admin account
4. Attacker logs in as administrator
5. Full site takeover achieved: install malware, steal data, deface site

Active Exploitation

According to reporting from BleepingComputer, exploitation of this vulnerability is active in the wild. Attackers are scanning for vulnerable WordPress installations and attempting to exploit the flaw at scale.

Common attacker goals after gaining WordPress admin access include:

Malware injection — injecting malicious JavaScript or PHP backdoors into theme files
SEO spam — adding hidden spammy links and content for black-hat SEO
Credential harvesting — stealing customer data, payment info, or user credentials
Hosting resource abuse — using the server for crypto mining or botnet activity
Ransomware staging — encrypting or holding the site hostage

Affected Versions

Plugin	Affected Versions	Status
WP Maps Pro	Vulnerable versions (check changelog for patched release)	Patch recommended immediately

WordPress site administrators should check their installed plugin version and compare against the vendor's changelog to determine if they are running a vulnerable build.

Recommendations

Immediate Actions

Update WP Maps Pro to the latest version immediately via the WordPress dashboard or by manually uploading the patched release
Audit administrator accounts — check for any unfamiliar admin users created recently:
```
WordPress Dashboard → Users → Administrators
```
Review recent user registrations — look for accounts created without a corresponding legitimate signup
Check file integrity — scan theme files and plugin files for injected malicious code

Detection

WordPress site owners can detect compromise by looking for:

Unexpected admin accounts — especially ones created around the same timeframe
Unknown user emails in the WordPress user list
Unusual login activity in access logs from foreign IPs
Modified theme or plugin files — use a file integrity checker or compare against known-good copies

Hardening

- Keep all plugins updated (enable auto-updates for security releases)
- Install a WordPress security plugin (Wordfence, Sucuri, etc.)
- Enable two-factor authentication for all admin accounts
- Use activity logging (WP Activity Log plugin) to track user creation events
- Restrict wp-admin access by IP using .htaccess or a firewall rule

Broader Context: WordPress Plugin Risk

The WP Maps Pro exploitation follows a well-established pattern of WordPress plugin vulnerabilities being rapidly weaponized:

WordPress powers approximately 43% of all websites globally
Premium and free plugins are a recurring attack vector due to inconsistent security practices
Unauthenticated privilege escalation vulnerabilities in WordPress plugins are among the most dangerous — they require minimal attacker skill and deliver immediate full compromise

WordPress site administrators are strongly advised to maintain automatic security updates and regularly audit installed plugins for necessity and update status.

Sources

BleepingComputer — WP Maps Pro bug exploited to create admin accounts on WordPress sites

Overview

The vulnerability requires no authentication and no user interaction — attackers need only be able to send an HTTP request to a targeted site running the vulnerable plugin version.

The Vulnerability

Key characteristics:

No authentication required — exploitable by any external attacker
No user interaction — victim does not need to click anything
Full administrator creation — attacker receives WordPress admin privileges
Remote exploitation — exploitable over the network with a simple HTTP request

Attack Flow

1. Attacker identifies a WordPress site running vulnerable WP Maps Pro
2. Sends a specially crafted unauthenticated HTTP request
3. Plugin processes the request and creates a new WordPress admin account
4. Attacker logs in as administrator
5. Full site takeover achieved: install malware, steal data, deface site

Active Exploitation

Common attacker goals after gaining WordPress admin access include:

Malware injection — injecting malicious JavaScript or PHP backdoors into theme files
SEO spam — adding hidden spammy links and content for black-hat SEO
Credential harvesting — stealing customer data, payment info, or user credentials
Hosting resource abuse — using the server for crypto mining or botnet activity
Ransomware staging — encrypting or holding the site hostage

Affected Versions

Plugin	Affected Versions	Status
WP Maps Pro	Vulnerable versions (check changelog for patched release)	Patch recommended immediately

WordPress site administrators should check their installed plugin version and compare against the vendor's changelog to determine if they are running a vulnerable build.

Recommendations

Immediate Actions

Update WP Maps Pro to the latest version immediately via the WordPress dashboard or by manually uploading the patched release
Audit administrator accounts — check for any unfamiliar admin users created recently:
```
WordPress Dashboard → Users → Administrators
```
Review recent user registrations — look for accounts created without a corresponding legitimate signup
Check file integrity — scan theme files and plugin files for injected malicious code

Detection

WordPress site owners can detect compromise by looking for:

Unexpected admin accounts — especially ones created around the same timeframe
Unknown user emails in the WordPress user list
Unusual login activity in access logs from foreign IPs
Modified theme or plugin files — use a file integrity checker or compare against known-good copies

Hardening

- Keep all plugins updated (enable auto-updates for security releases)
- Install a WordPress security plugin (Wordfence, Sucuri, etc.)
- Enable two-factor authentication for all admin accounts
- Use activity logging (WP Activity Log plugin) to track user creation events
- Restrict wp-admin access by IP using .htaccess or a firewall rule

Broader Context: WordPress Plugin Risk

The WP Maps Pro exploitation follows a well-established pattern of WordPress plugin vulnerabilities being rapidly weaponized:

WordPress powers approximately 43% of all websites globally
Premium and free plugins are a recurring attack vector due to inconsistent security practices
Unauthenticated privilege escalation vulnerabilities in WordPress plugins are among the most dangerous — they require minimal attacker skill and deliver immediate full compromise

WordPress site administrators are strongly advised to maintain automatic security updates and regularly audit installed plugins for necessity and update status.

Sources

BleepingComputer — WP Maps Pro bug exploited to create admin accounts on WordPress sites

WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

Overview

The Vulnerability

Attack Flow

Active Exploitation

Affected Versions

Recommendations

Immediate Actions

Detection

Hardening

Broader Context: WordPress Plugin Risk

Sources

Hackers Actively Exploiting Breeze Cache File Upload Bug in

Avada Builder WordPress Plugin Flaws Allow Site Credential

Hackers Exploit Critical Flaw in Ninja Forms WordPress

WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

Overview

The Vulnerability

Attack Flow

Active Exploitation

Affected Versions

Recommendations

Immediate Actions

Detection

Hardening

Broader Context: WordPress Plugin Risk

Sources

Hackers Actively Exploiting Breeze Cache File Upload Bug in

Avada Builder WordPress Plugin Flaws Allow Site Credential

Hackers Exploit Critical Flaw in Ninja Forms WordPress

Overview

The Vulnerability

Attack Flow

Active Exploitation

Affected Versions

Recommendations

Immediate Actions

Detection

Hardening

Broader Context: WordPress Plugin Risk

Sources

Related Reading

Overview

The Vulnerability

Attack Flow

Active Exploitation

Affected Versions

Recommendations

Immediate Actions

Detection

Hardening

Broader Context: WordPress Plugin Risk

Sources

Related Reading