In brief: A security vulnerability in WP Maps Pro enables attackers to create admin accounts without authentication, gaining full control over WordPress websites.
A security vulnerability in the WordPress plugin WP Maps Pro is being actively exploited to create admin accounts without authentication on affected websites. Attackers can thereby assume full control over WordPress installations.
Security researchers have documented that attackers are deliberately exploiting a critical authentication vulnerability in the WP Maps Pro plugin. Those affected are WordPress websites running vulnerable versions of the plugin. Without valid login credentials, the security vulnerability can be exploited to create admin user accounts.
Admin privileges on a WordPress installation represent a critical scenario for a CISO: the attacker gains complete access to all website content, can inject malware, exfiltrate user information, or use the website for further attacks. The vulnerability requires no prior knowledge of the WordPress system and can be exploited automatically.
As countermeasures, the plugin should be updated to the latest available version. Administrators are advised to promptly review their WordPress installations and disable the plugin if an update is not immediately available. Unknown admin accounts with creation dates should be checked and deleted in the administration area. For better protection going forward, network-based access control to WordPress admin areas and regular audits of installed plugins for vulnerabilities are recommended.
Source: www.bleepingcomputer.com · Published May 31, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.7.