Meta News

Topic Cybersecurity

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Summary: Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is

A critical vulnerability affecting the popular WordPress plugin WP Maps Pro is being actively exploited by attackers, prompting urgent warnings from security researchers and website administrators. The flaw highlights once again how third-party WordPress plugins remain one of the most common entry points for cyberattacks against websites worldwide.

According to researchers, the vulnerability allows attackers to compromise vulnerable WordPress installations without requiring legitimate access credentials. Because WP Maps Pro is used to add interactive maps, location directories, and geographic features to websites, the flaw potentially affects a wide range of business, government, educational, and commercial sites.

What makes the situation particularly serious is that exploitation is already occurring in the wild.

Once attackers begin actively targeting a vulnerability, organizations are no longer dealing with a theoretical risk. Automated scanning tools quickly identify vulnerable websites across the internet, allowing cybercriminals to compromise large numbers of systems in a relatively short period of time.

WordPress remains an especially attractive target because of its enormous market share.

Powering a significant portion of the world’s websites, WordPress represents a highly efficient target for attackers. Rather than focusing on individual organizations, threat actors often seek vulnerabilities in widely deployed plugins or themes that can provide access to thousands of sites simultaneously.

Researchers warn that successful exploitation may allow attackers to inject malicious code, create unauthorized administrator accounts, modify website content, redirect visitors, distribute malware, or establish persistent access for future attacks.

In many cases, compromised websites become part of larger criminal operations.

Attackers frequently use hacked WordPress sites to host phishing pages, distribute malware, boost SEO manipulation campaigns, steal visitor information, or serve as infrastructure for additional cyberattacks. A single vulnerable plugin can therefore create risks not only for website owners but also for visitors.

The incident also underscores a persistent challenge in the WordPress ecosystem.

While the platform itself is regularly updated and maintained, many sites depend on dozens of third-party plugins developed by independent vendors. Each additional plugin expands the attack surface and introduces potential security risks that administrators must monitor continuously.

Researchers note that plugin vulnerabilities remain one of the leading causes of WordPress compromises globally.

Many website owners focus on updating WordPress core while overlooking plugins that may contain critical security flaws. Attackers actively monitor plugin disclosures because they often provide easier access paths than attacking the core platform itself.

The speed of exploitation continues to accelerate.

Cybercriminal groups increasingly automate vulnerability scanning and exploitation, allowing them to identify exposed websites within hours of a public disclosure. Once proof-of-concept exploit code becomes available, attacks often increase dramatically.

Artificial intelligence may make this trend even more dangerous.

Security experts warn that AI-assisted reconnaissance and automated exploitation tools could further reduce the time between vulnerability disclosure and active attacks, making rapid patching more important than ever.

Administrators using WP Maps Pro are being urged to update immediately, review logs for suspicious activity, audit user accounts for unauthorized administrators, and inspect websites for unexpected modifications or malicious code injections.

The broader lesson extends beyond a single plugin.

Modern websites are increasingly built from interconnected ecosystems of plugins, themes, APIs, cloud services, and third-party components. While this approach enables rapid development and powerful functionality, it also creates numerous potential entry points for attackers.

As cybercriminals continue targeting widely deployed web applications, organizations must treat plugin management as a core security responsibility rather than a routine maintenance task.

In today’s threat landscape, a single vulnerable plugin can be all an attacker needs to turn a trusted website into a compromised asset.

Key facts

  • - A critical security vulnerability in WP Maps Pro allows attackers to create admin accounts.
  • - Over 15,000 users have purchased WP Maps Pro from Envato Market.
  • - The exploit targets the plugin’s functionality for embedding Google and OpenStreetMap.

Why it matters

This exploit poses a significant risk to site owners as it can lead to unauthorized access and control of their platforms, potentially compromising sensitive data and operations. WP Maps Pro, with over 15,000 sales, is a frequently installed plugin making this issue particularly relevant for many users.

Tags:
WordPress security flaw admin accounts WP Maps Pro

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: WP Maps Pro, threat actors

Source: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html

Published on