A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites.
The issue impacted all WP Maps Pro versions up to 6.1.0. The plugin had more than 15,000 sales at the time the vulnerability was disclosed.
The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026. Security researcher David Brown discovered and responsibly reported the flaw, earning a $1,950 bounty.
Wordfence stated that attackers could exploit a vulnerable AJAX action to create administrator accounts without authentication.
How the WP Maps Pro WordPress Plugin Vulnerability Worked
The WP Maps Pro WordPress plugin included a temporary access feature designed for support staff troubleshooting. The issue existed in the wpgmp_temp_access_ajax_callback() function, which handled the plugin’s AJAX action.
The function relied on a nonce check using fc-call-nonce:
function wpgmp_temp_access_ajax_callback(){
check_ajax_referer( ‘fc-call-nonce’, ‘nonce’ );
$temp_access = new WPGMP_Temp_Access();
$response = $temp_access->wpgmp_temp_access_support();
wp_send_json($response);
exit();
}
Researchers found that the nonce was publicly exposed through frontend pages using wp_localize_script. Because the AJAX action was also registered with wp_ajax_nopriv_, unauthenticated users could access the endpoint.
The vulnerable version did not include a capability check to verify administrator privileges.
Administrator Account Creation
After triggering the AJAX action with check_temp=false, the plugin executed the wpgmp_temp_access_support() function.
The function created a new WordPress administrator account using:
- A randomly generated username beginning with fc_user_
- The hardcoded email address [email protected]
- The administrator role
The plugin then generated a login URL tied to the new account.
According to the technical analysis, visiting the generated URL triggered wp_set_auth_cookie(), authenticating the attacker without requiring a password.
Wordfence stated that attackers could then:
- Install malicious plugins
- Modify themes
- Inject backdoors
- Deploy webshells
- Steal site data
The vulnerability could result in full site takeover.
Patch Released in Version 6.1.1
The vendor fixed the issue by adding a capability check to the vulnerable AJAX action:
if ( ! current_user_can( ‘manage_options’ ) ) {
wp_send_json_error( array( ‘error’ => ‘Unauthorized’ ), 403 );
exit();
}
The patch restricted the endpoint to authenticated administrators only. The fully patched WP Maps Pro version 6.1.1 was released on May 20, 2026.
Wordfence Timeline
- March 24, 2026 — Wordfence received the vulnerability report.
- May 16, 2026 — Researchers validated the exploit and escalated the issue to the Envato security team after failing to locate direct vendor contact information.
- May 18, 2026 — Wordfence Premium, Care, and Response users received firewall protection.
- May 20, 2026 — WP Maps Pro 6.1.1 was released.
- June 17, 2026 — Free Wordfence users were scheduled to receive the same firewall protection.
Wordfence urged users to update the WordPress plugin immediately to prevent exploitation and reduce the risk of site takeover.
