Critical WP Maps Pro Flaw Actively Exploited to Create Rogue Admin Accounts
Threat actors are actively exploiting a critical vulnerability in WP Maps Pro, a commercial WordPress plugin with over 15,000 sales on Envato Market, to register unauthorized administrator accounts on unpatched sites. Exploitation is live, right now.
What Happened
Researchers have confirmed that attackers are scanning for and exploiting a critical flaw in WP Maps Pro — a plugin that lets site owners embed customized Google Maps with markers, routes, and store locators. The bug allows unauthenticated attackers to create new accounts with full WordPress administrator privileges, bypassing any login or registration guard. According to The Hacker News, active exploitation campaigns are already underway targeting sites running the vulnerable version.
Why It Matters
Administrator access means complete site compromise. Attackers can install backdoors, redirect traffic, harvest credentials, exfiltrate customer data, or repurpose the site for phishing and malware delivery — all without any further exploitation needed. With 15,000+ confirmed sales on Envato Market plus an unknown number of redistributed or nulled copies in the wild, the exposed surface is broad.
This class of vulnerability — unauthenticated privilege escalation to admin — is among the most dangerous in the WordPress ecosystem. Exploitation is trivial to automate, detection requires active log review, and recovery from a fully-compromised site is labor-intensive. Mass scanning campaigns typically reach peak velocity within 24–48 hours of public disclosure for flaws of this severity.
What to Do
Check exposure first:
- In wp-admin go to Plugins and look for WP Maps Pro, or run
wp plugin listvia WP-CLI. - If installed, compare your version against the patched release in the Envato changelog.
Audit for existing compromise:
- Go to Users → All Users, filter by Administrator, and look for accounts you did not create.
- Via WP-CLI:
wp user list --role=administrator - Review
wp_usersfor any accounts registered in the past 48–72 hours. - Check server access logs for POST requests to
wp-admin/user-new.phporwp-login.phpfrom unfamiliar IPs.
Remediate:
- Update immediately to the patched version via Envato Market or your plugin update dashboard.
- Disable the plugin if no patch is yet available — a temporary map outage is a far smaller risk than full site takeover.
- Enable a WAF virtual patch — Wordfence, Patchstack, and similar tools typically push rules within hours of disclosure for critical CVEs.
- If rogue admin accounts are found, treat the site as fully compromised: rotate all admin passwords, regenerate
wp-config.phpsecret keys, run a malware scan (Wordfence or Sucuri Scanner), and restore from a clean pre-exploitation backup if available.
Synthesized by Claude · sanity-checked before publish.