WP Maps Pro Flaw Exploited for Admin Account Creation — Patch Now

Threat actors have begun actively targeting a critical security vulnerability within WP Maps Pro, a popular premium WordPress plugin. According to The Hacker News, the flaw allows unauthenticated attackers to perform unauthorized WordPress administrator account creation, effectively granting them full control over the underlying website environment. This plugin, which has recorded over 15,000 sales on the Envato Market, is widely utilized by site owners to integrate customizable Google Maps and OpenStreetMap features, including advanced location listings and markers.

Summary of the WP Maps Pro Exploitation

The exploit attempts observed in the wild focus on bypassing security checks to register new users with elevated privileges. By gaining an administrative foothold, an attacker can modify site content, redirect traffic to malicious domains, install additional backdoors, or exfiltrate sensitive user data. This type of Privilege Escalation is particularly dangerous because it bypasses traditional security boundaries, turning a legitimate plugin feature into a vector for total site compromise.

Security researchers have noted that the active exploitation phase started shortly after the vulnerability became known. Because WP Maps Pro is a premium plugin distributed through third-party marketplaces, many site owners may not receive the same automated update notifications provided by the official WordPress.org repository, leading to a prolonged window of exposure for unpatched systems. Failure to address this CVE equivalent flaw immediately leaves the site open to automated botnets scanning for susceptible installations.

Technical Analysis of the Vulnerability

The root cause of the issue stems from insufficient input validation and a lack of proper authorization checks on specific endpoints used by the plugin. In many WordPress plugin vulnerabilities, unauthenticated RCE or account creation occurs when functions intended for administrative use are exposed to the public via AJAX or REST API handlers without verifying the requester’s identity.

In this instance, the attackers leverage the flaw to inject metadata or trigger registration scripts that assign the ‘administrator’ role to a user-controlled account. Once the account is created, the attacker logs in via the standard WordPress login portal, rendering many EDR or perimeter defenses ineffective since the subsequent actions appear as legitimate administrative activity.

How to Detect WP Maps Pro Exploit Signatures

For teams operating a SOC, identifying this activity requires monitoring web server access logs for unusual POST requests directed at plugin-specific directories or the admin-ajax.php file. Security professionals should prioritize identifying unauthorized WordPress administrator account creation by auditing the wp_users and wp_usermeta tables for any accounts they did not personally authorize.

Key IoC patterns include:

• New administrator accounts with suspicious email domains (e.g., disposable email services).
• Unexpected entries in the WordPress audit log showing user registration from foreign IP addresses.
• Modification of plugin settings without a corresponding change request.

Recommended Mitigations

The most effective defense is the immediate application of the latest security patch provided by the plugin developers. Site administrators should verify their current version of WP Maps Pro and compare it against the latest release available on the Envato Market.

Beyond patching, implementing WP Maps Pro vulnerability mitigation strategies such as IP whitelisting for the administrative dashboard and enforcing Zero Trust principles can limit the blast radius of such exploits. Furthermore, security teams should employ a SIEM to alert on any new user registration that carries the administrator role. If a compromise is suspected, administrators must revoke all suspicious sessions, delete unauthorized accounts, and rotate all database and API keys associated with the WordPress installation.