Unauthenticated Admin Account Creation in WP Maps Pro Plugin Actively Exploited
A authentication bypass vulnerability in WP Maps Pro allows unauthenticated attackers to create administrative accounts on WordPress sites. Active exploitation is reported in the wild.
Affected
WP Maps Pro contains a function that generates administrator-level user accounts without validating user authentication or authorisation. This is a direct auth bypass rather than a logic flaw in parameter handling. Attackers can reach the vulnerable endpoint without any credentials or nonce tokens, construct a request to trigger account creation, and immediately gain full site control through the new admin account.
The technical root cause appears to be missing access controls in the plugin's user creation callback. WordPress provides the current_user_can() function specifically to prevent this pattern, yet the plugin developers failed to implement basic authentication checks before processing the sensitive operation. This indicates either poor security awareness during development or negligent code review.
WordPress site operators running affected versions face immediate takeover risk. An attacker gains administrative privileges equivalent to the site owner, enabling data exfiltration, malware injection, defacement, and lateral movement to other sites on shared hosting. The vulnerability is particularly severe because it requires no authentication attempt that might trigger security monitoring.
Defenders should immediately identify and update WP Maps Pro across all installations. Plugin update mechanisms vary; site operators using outdated plugins may not receive automatic notifications. Review user accounts created in the past weeks, particularly those with administrator role and unfamiliar creation timestamps. Check database logs and web server access logs for requests to the vulnerable endpoint. Consider disabling the plugin entirely if updates are unavailable pending developer response.
This incident reflects a systemic WordPress security problem: the plugin ecosystem lacks mandatory security review before distribution. Over 58,000 plugins exist in the official repository with minimal vetting. Organisations running business-critical WordPress installations should implement plugin whitelisting, restrict plugin uploads to administrators only, and consider commercial plugin security scanning tools as part of their patching workflow.
Sources