WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

Hackers are actively targeting WordPress sites running a vulnerable version of the WP Maps Pro plugin, according to BleepingComputer. The flaw allows attackers to create rogue administrator accounts without any authentication, published May 31, 2025.

What Happened

The WP Maps Pro plugin for WordPress contains a security vulnerability that unauthenticated attackers can exploit to register new administrator-level user accounts on affected sites. No login, credentials, or social engineering is required. Once an attacker has admin access, they can install backdoors, inject malicious scripts, steal user data, redirect visitors, or completely take over the site.

Active exploitation has already been observed in the wild. This means attackers are not waiting for full technical details to become public. They are scanning for vulnerable installations right now and acting on what they find.

Why This Matters to Small Teams

For indie hackers and solo developers, WordPress powers a significant share of product landing pages, marketing sites, documentation portals, and early-stage SaaS frontends. A single plugin vulnerability on one of those properties is enough to compromise the entire site, including any customer-facing forms, email capture flows, or embedded payment links.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

Small teams are disproportionately at risk here for a practical reason: plugin updates get skipped. When you are shipping features and handling support tickets at the same time, plugin maintenance drops to the bottom of the list. Attackers know this. Automated scanners probe millions of WordPress installations daily, looking for exactly this kind of neglected dependency.

The fact that this exploit requires zero authentication makes it especially dangerous. There is no phishing attempt to catch, no suspicious login to notice. An attacker can add themselves as an admin silently, in seconds, without leaving obvious traces until the damage is already done.

How to Stay Protected

Update WP Maps Pro immediately. Open your WordPress dashboard, go to Plugins, and check for an available update for WP Maps Pro. Install it without delay. If the plugin vendor has released a patched version, that is your first line of defense.
Audit your administrator accounts. Go to Users in your WordPress admin and review every account with Administrator role. Remove any accounts you do not recognize. Pay attention to recently created accounts or accounts with generic usernames.
Disable or remove unused plugins. If you installed WP Maps Pro for a project and no longer need it, deactivate and delete it. Every active plugin is an attack surface. Fewer plugins means fewer vulnerabilities to manage.
Enable login notifications. Use a security plugin or hosting-level feature to alert you when a new admin account is created or when a login occurs from an unfamiliar IP. Early warning is valuable when the exploit itself is silent.
Check your site files for backdoors. If your site was running a vulnerable version while exploitation was active, an update alone is not sufficient. Scan your installation for unexpected PHP files, modified core files, or injected scripts. Services like your hosting provider's malware scanner or a dedicated WordPress security tool can help.
Review your hosting access logs. Look for unusual POST requests to plugin endpoints or user registration URLs around the time the vulnerability became public. Logs can confirm whether your site was targeted even if it appears clean on the surface.

How UNPWNED Helps

UNPWNED scans your web properties for exposed vulnerabilities and misconfigured security controls. Our checks cover categories including outdated or risky third-party components, missing HTTP security headers, and exposed admin interfaces. While UNPWNED focuses on your site's external security posture rather than deep WordPress plugin auditing, running a scan can surface related risks such as exposed login pages, missing brute-force protections, and insecure configurations that make incidents like this one easier for attackers to exploit. Across the 1,903 sites we have scanned, the average security score sits at 72 out of 100, which means most sites are leaving detectable gaps open.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.