WP Maps Pro Bug Lets Hackers Create Admin Accounts

Emily Davis · 2026-05-31

If you're running a WordPress site with the WP Maps Pro plugin, you need to pay attention. A serious security flaw has been discovered that lets hackers create rogue admin accounts without any authentication. That means they can take over your site completely, and you might not even know it until it's too late. This vulnerability is being actively exploited right now. Security researchers have detected attacks targeting sites using older versions of WP Maps Pro. The plugin is popular among businesses that need interactive maps on their sites, like real estate agencies, travel blogs, and local directories. But that popularity also makes it a prime target. ### How the Attack Works The bug is in the plugin's AJAX handler, which doesn't properly check user permissions. Hackers can send a specially crafted request to the server, and the plugin will create a new user with administrator privileges. No login required. No password needed. Just a simple HTTP request, and boom—they're in. Once they have admin access, attackers can do a lot of damage. They can install malicious plugins, redirect traffic to shady sites, steal customer data, or even use your server to launch attacks on other websites. It's a nightmare scenario for any site owner. ### Who Is at Risk? Any WordPress site running WP Maps Pro version 1.0 or earlier is vulnerable. If you're not sure which version you have, check your plugins dashboard. The fix was released in version 1.1, so updating immediately is your best defense. Here's a quick checklist to see if you might be affected: - Do you use WP Maps Pro on your site? - Have you updated the plugin in the last month? - Do you have any suspicious admin accounts you didn't create? - Have you noticed unusual activity in your site logs? If you answered yes to any of these, take action now. ### How to Protect Your Site First, update WP Maps Pro to the latest version. The developers patched the vulnerability in version 1.1, so make sure you're running that or newer. You can update directly from your WordPress dashboard under Plugins > Installed Plugins. Second, check your user accounts. Go to Users > All Users and look for any accounts you didn't create. If you find one, delete it immediately and change your admin password. Also, consider enabling two-factor authentication for extra security. Third, install a security plugin like Wordfence or Sucuri. These tools can block malicious requests and alert you to suspicious activity. They're not foolproof, but they add a valuable layer of protection. Finally, back up your site regularly. If the worst happens, you can restore from a clean backup. Store backups offsite, like in the cloud or on an external drive, so they're not affected if your server gets compromised. ### What This Means for Your Business If your site gets hacked, it's not just a technical headache. It can hurt your reputation, cost you customers, and even lead to legal trouble if sensitive data is exposed. For businesses that rely on their website for leads or sales, this is a serious risk. Take a few minutes today to check your site. Update the plugin, review your users, and make sure your security settings are solid. It's a small effort that could save you a lot of pain down the road. Stay safe out there.