blindthoughts
breaking · By

Critical WP Maps Pro Flaw Actively Exploited to Create Rogue Admin Accounts

Threat actors are actively exploiting a critical vulnerability in WP Maps Pro, a commercial WordPress plugin with over 15,000 sales on Envato Market, to register unauthorized administrator accounts on unpatched sites. Exploitation is live, right now.

What Happened

Researchers have confirmed that attackers are scanning for and exploiting a critical flaw in WP Maps Pro — a plugin that lets site owners embed customized Google Maps with markers, routes, and store locators. The bug allows unauthenticated attackers to create new accounts with full WordPress administrator privileges, bypassing any login or registration guard. According to The Hacker News, active exploitation campaigns are already underway targeting sites running the vulnerable version.

Why It Matters

Administrator access means complete site compromise. Attackers can install backdoors, redirect traffic, harvest credentials, exfiltrate customer data, or repurpose the site for phishing and malware delivery — all without any further exploitation needed. With 15,000+ confirmed sales on Envato Market plus an unknown number of redistributed or nulled copies in the wild, the exposed surface is broad.

This class of vulnerability — unauthenticated privilege escalation to admin — is among the most dangerous in the WordPress ecosystem. Exploitation is trivial to automate, detection requires active log review, and recovery from a fully-compromised site is labor-intensive. Mass scanning campaigns typically reach peak velocity within 24–48 hours of public disclosure for flaws of this severity.

What to Do

Check exposure first:

Audit for existing compromise:

Remediate:

  1. Update immediately to the patched version via Envato Market or your plugin update dashboard.
  2. Disable the plugin if no patch is yet available — a temporary map outage is a far smaller risk than full site takeover.
  3. Enable a WAF virtual patch — Wordfence, Patchstack, and similar tools typically push rules within hours of disclosure for critical CVEs.
  4. If rogue admin accounts are found, treat the site as fully compromised: rotate all admin passwords, regenerate wp-config.php secret keys, run a malware scan (Wordfence or Sucuri Scanner), and restore from a clean pre-exploitation backup if available.
Sources
  1. Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?