Critical WP Maps Pro Plugin Vulnerability Allowed Unauthenticated Admin Account Creation
A severe security flaw in the WP Maps Pro WordPress plugin (versions up to 6.1.0) enabled unauthenticated attackers to create administrator accounts, leading to potential full site takeovers. The vulnerability, discovered by security researcher David Brown and reported via the Wordfence Bug Bounty Program on March 24, 2026, affected over 15,000 installations at the time of disclosure.
The flaw stemmed from an improperly secured AJAX action in the plugin’s temporary access feature, originally designed for support staff. The wpgmp_temp_access_ajax_callback() function lacked a capability check, allowing unauthenticated users to exploit it. Attackers could trigger the function by bypassing a publicly exposed nonce, then execute wpgmp_temp_access_support() to generate a new administrator account with:
- A randomly generated username (e.g.,
fc_user_*), - The hardcoded email support@flippercode.com,
- Full administrator privileges.
The plugin then provided a login URL that authenticated the attacker without requiring a password, granting them unrestricted access to:
- Install malicious plugins,
- Modify themes,
- Inject backdoors,
- Deploy webshells,
- Steal site data.
The vendor patched the issue in WP Maps Pro 6.1.1, released on May 20, 2026, by adding a capability check to restrict the vulnerable endpoint to authenticated administrators. Wordfence provided firewall protection to Premium, Care, and Response users on May 18, 2026, with free users scheduled to receive the same protection on June 17, 2026. The vulnerability was escalated to Envato’s security team on May 16, 2026, after researchers failed to locate direct vendor contact information.
Source: https://thecyberexpress.com/wp-maps-pro-vulnerability/
WePlugins cybersecurity rating report: https://www.rankiteo.com/company/weplugins
"id": "WEP1780050340",
"linkid": "weplugins",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '15,000+ WordPress sites',
'industry': 'Web Development, WordPress Ecosystem',
'location': 'Global',
'name': 'WP Maps Pro Plugin Users',
'size': 'Over 15,000 installations',
'type': 'Software/Plugin'}],
'attack_vector': 'Remote Exploitation',
'customer_advisories': 'WordPress site administrators using WP Maps Pro '
'advised to update immediately.',
'data_breach': {'personally_identifiable_information': 'Potential (if stored '
'on compromised sites)',
'sensitivity_of_data': 'High (administrative access, '
'potential PII/payment data)',
'type_of_data_compromised': 'Site data, administrative '
'credentials, potentially '
'PII/payment data'},
'date_detected': '2026-03-24',
'date_publicly_disclosed': '2026-05-20',
'date_resolved': '2026-05-20',
'description': 'A severe security flaw in the WP Maps Pro WordPress plugin '
'(versions up to 6.1.0) enabled unauthenticated attackers to '
'create administrator accounts, leading to potential full site '
'takeovers. The vulnerability stemmed from an improperly '
'secured AJAX action in the plugin’s temporary access feature, '
'allowing attackers to generate new administrator accounts '
'with full privileges.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'affected sites',
'data_compromised': 'Site data, including sensitive information if '
'stored',
'identity_theft_risk': 'High (if PII was stored on compromised '
'sites)',
'operational_impact': 'Full site takeover, unauthorized '
'administrative access',
'payment_information_risk': 'High (if payment data was stored on '
'compromised sites)',
'systems_affected': 'WordPress sites using WP Maps Pro plugin '
'(versions ≤ 6.1.0)'},
'initial_access_broker': {'backdoors_established': 'Administrator account '
'creation',
'entry_point': 'Publicly exposed AJAX endpoint with '
'insecure nonce',
'high_value_targets': 'WordPress sites with '
'sensitive data'},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of proper capability checks in AJAX actions, '
'secure nonce handling, and vendor contact transparency.',
'post_incident_analysis': {'corrective_actions': 'Added capability check, '
'patched vulnerable '
'endpoint, improved vendor '
'contact transparency',
'root_causes': 'Missing capability check in '
'`wpgmp_temp_access_ajax_callback()` '
'function, insecure nonce handling'},
'recommendations': 'Update to WP Maps Pro 6.1.1 or later, implement Wordfence '
'firewall protection, audit plugin security, and ensure '
'proper access controls.',
'references': [{'date_accessed': '2026-03-24',
'source': 'Wordfence Bug Bounty Program'},
{'date_accessed': '2026-05-20',
'source': 'WP Maps Pro Plugin Changelog'}],
'response': {'containment_measures': 'Firewall protection (Wordfence '
'Premium/Care/Response users on '
'2026-05-18)',
'remediation_measures': 'Patch released in WP Maps Pro 6.1.1 '
'(2026-05-20), capability check added',
'third_party_assistance': 'Wordfence Bug Bounty Program, Envato '
'Security Team'},
'title': 'Critical WP Maps Pro Plugin Vulnerability Allowed Unauthenticated '
'Admin Account Creation',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'Improperly secured AJAX action (CVE not '
'specified)'}