WP Maps Pro Zero-Day Exploited to Create Admin Accounts on WordPress Sites

Hackers are actively targeting a critical security flaw in WP Maps Pro, a commercial WordPress plugin with over 15,000 sales on the Envato Market. The vulnerability allows unauthenticated attackers to create malicious administrator accounts on susceptible websites, effectively granting them full control over the affected WordPress instances.

The flaw, already under active exploitation, has not yet been assigned a CVE identifier. Given the plugin's sales volume, thousands of sites running WP Maps Pro may be exposed. Security researchers have observed exploit attempts in the wild, marking this as an urgent threat requiring immediate action.

Attackers exploit the bug by sending specially crafted HTTP requests to the plugin's endpoints, bypassing authentication checks. Once a rogue admin account is created, adversaries can upload backdoors, steal data, or deploy further malware. Indicators of compromise include unexpected new admin users and altered plugin files.

Users are strongly advised to disable WP Maps Pro immediately if no patch is available. The plugin developer has not yet released a security update. Until a fix is deployed, site administrators should audit their user databases for unauthorized accounts and implement web application firewall rules to block exploit attempts.

The campaign appears opportunistic, targeting any site running the vulnerable plugin. Broader WordPress security measures—such as regular updates, account audits, and least-privilege policies—remain critical. This incident underscores the risk posed by third-party plugins with limited disclosure timelines.