blindthoughts
breaking · By

WP Maps Pro Plugin Actively Exploited to Plant Rogue Admin Accounts

Threat actors are actively exploiting a critical authentication bypass vulnerability in WP Maps Pro, a commercial WordPress plugin used to embed interactive maps. The flaw lets unauthenticated remote attackers register arbitrary administrator accounts — no credentials, no brute force required. BleepingComputer confirmed active exploitation in the wild.

Why This Is Bad

Unauthenticated admin creation is as severe as WordPress vulnerabilities get. Once an attacker drops a rogue admin account, they own the site with a persistent, legitimate-looking credential — one that survives plugin removal and can be invisible to cursory audits if you aren't specifically watching for new admin creation events.

WP Maps Pro is a paid plugin with an active install base across business, real estate, and directory-style WordPress sites — many of which handle user data, contact forms, or payment flows. A compromised admin account means the attacker can:

With active exploitation confirmed, mass automated scanning for vulnerable installs is almost certainly already underway. Every hour a vulnerable site stays unpatched is an hour it spends in someone's target queue.

What To Do Right Now

1. Check your plugin version. In wp-admin, go to Plugins → Installed Plugins and locate WP Maps Pro. Note the version.

2. Update immediately. Apply the latest release from the plugin developer's site or your license portal. If your dashboard shows no update available yet, check the developer site directly for an emergency release.

3. Audit your administrator accounts. Go to Users → All Users, filter by Administrator role. Any account you don't recognize — especially recently created ones — is a compromise indicator. Delete it, rotate all other admin passwords, and regenerate your WordPress secret keys in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, etc.).

4. Review recent access logs. Look for POST requests to user registration or REST API endpoints — repeated hits against /wp-json/ or ?rest_route= paths from a single IP are a red flag.

5. If you cannot patch immediately, disable WP Maps Pro until you can, or block the relevant REST API endpoint via your WAF or Nginx config.

6. Check for persistence after patching. Scan installed plugins for anything unfamiliar. Verify your wp-content/plugins/ directory against known-good contents. A file integrity scanner (Wordfence or similar) can surface injected backdoors that survive a plugin update.

If you manage multiple WordPress sites, treat this as a fleet-wide incident: audit every instance running WP Maps Pro before end of day. Attackers moving from initial access to backdoor installation can do so in minutes once they hold admin credentials.

Sources
  1. WP Maps Pro bug exploited to create admin accounts on WordPress sites

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?