CVE-2024-10642: WP Maps Pro Exploited to Create WordPress Admin Accounts

Threat actors are actively exploiting a critical vulnerability in the WP Maps Pro plugin for WordPress, a popular tool for integrating location-based services and Google Maps into websites. According to BleepingComputer, the flaw allows unauthenticated users to gain full administrative access to affected sites by manipulating core WordPress settings.

Identified as CVE-2024-10642, the CVE carries a CVSS score of 9.8. The vulnerability is characterized as an unauthenticated Privilege Escalation bug that stems from a lack of proper authorization checks on a specific AJAX endpoint. When exploited, it permits an attacker to perform administrative actions, such as creating new user accounts with the highest level of permissions.

Technical Analysis: WP Maps Pro 6.1.1 Privilege Escalation Fix

The vulnerability exists in the way the plugin handles the wpgmp_save_settings AJAX action. This function was designed to allow administrators to update the plugin’s configuration via the web interface. However, developers failed to implement a capability check, such as current_user_can(), or a nonce check to verify that the request originated from a legitimate, authorized user. Because the action was registered with the wp_ajax_nopriv_ prefix, it became accessible to any visitor, including those without an account on the site.

To achieve full site takeover, attackers typically send a crafted POST request to the admin-ajax.php file. The payload targets the wpgmp_save_settings action and modifies two specific WordPress global options: users_can_register and default_role. By setting users_can_register to true and default_role to ‘administrator’, the attacker effectively opens the site to public registration where every new user is automatically granted full admin rights. After these changes are applied, the attacker registers a new account, logs in, and gains complete control over the site’s content, database, and user management.

Detection and Impact

Security researchers have observed this flaw being utilized in the wild to inject rogue administrator accounts. For organizations concerned about compromise, it is vital to know how to detect CVE-2024-10642 exploit attempts. Security teams should audit their WordPress user lists for any unfamiliar accounts, particularly those created recently with the administrator role. Additionally, reviewing web server logs for POST requests to admin-ajax.php that contain the wpgmp_save_settings parameter can reveal signs of attempted or successful exploitation.

The impact of a successful breach is severe. An attacker with administrative privileges can install malicious plugins, exfiltrate sensitive user data, redirect traffic to phishing sites, or deploy malware. For businesses using WP Maps Pro 6.1.1 privilege escalation fix is the only way to ensure the integrity of the platform.

Remediation and Recommendations

The most effective mitigation is to update the WP Maps Pro plugin to version 6.1.2 or later immediately. The developer released this patch to specifically address the missing authorization checks.

Defenders should also consider the following steps:

• User Audit: Review all accounts with administrative privileges and delete any that are unrecognized.
• Log Monitoring: Integrate web application logs into a SIEM or SOC workflow to monitor for unauthorized setting changes.
• Configuration Hardening: If your site does not require public registration, ensure the ‘Anyone can register’ setting is disabled in the WordPress General Settings and verify the default user role is set to ‘Subscriber’.
• Indicator Verification: Scan the database for any IoC involving unauthorized changes to the wp_options table.