Attackers are actively exploiting a critical vulnerability in WP Maps Pro, a paid WordPress plugin with over 15,000 sales, to create unauthorized administrator accounts on affected sites — granting full control over site files, user data, and installed plugins without requiring any existing credentials or user interaction.
Unauthenticated Privilege Escalation in WP Maps Pro Enables Full WordPress Site Takeover
The vulnerability allows an unauthenticated attacker to trigger the admin account creation path in WP Maps Pro installations without logging in or interacting with any site user. WP Maps Pro is a commercial plugin used by businesses to display interactive maps; its paid user base makes it an attractive target, since commercial plugin customers are more likely to operate sites with transactional functionality and stored customer data.
What WP Maps Pro Admin Access Gives Attackers on Compromised Sites
Administrator access to a WordPress installation provides unrestricted control over the site. Threat actors with this access can install additional plugins to establish persistent backdoors, modify theme or plugin files to inject malicious scripts, redirect site traffic to attacker-controlled infrastructure, or extract user databases and stored payment information. Web skimming operations — which silently intercept payment card data on checkout pages — are a common objective for attackers who gain WordPress admin access through exploitation campaigns.
Scale of the WP Maps Pro Risk: 15,000 Paid Installations Under Active Attack
With over 15,000 paid sales and active exploitation confirmed, the window for unpatched WP Maps Pro sites to avoid compromise is narrow. Automated scanning tools routinely probe for known vulnerable WordPress plugin versions, meaning unpatched installations are likely to face attack attempts regardless of site size or visibility. Site owners should audit their wp_users database table immediately for any administrator accounts not recognized as legitimate, as attackers who have already exploited the flaw may have created accounts before the patch became available.
Patch Availability and Remediation Steps for WP Maps Pro Operators
A patch has been released and site operators should update WP Maps Pro to the latest version immediately. Because the vulnerability enables silent account creation, patching alone does not remove access already established by attackers. Full remediation requires verifying the complete administrator user list, reviewing recently added plugins or modified files, and checking site access logs for anomalous requests that may indicate prior exploitation.
