Overview
- Security researcher David Brown reported the bug and maintainers fixed it in WP Maps Pro 6.1.1 on May 20, 2026 to require authenticated administrators for the endpoint.
- The flaw stems from the plugin registering a temporary-access AJAX action with wp_ajax_nopriv_ and relying on a frontend nonce embedded via wp_localize_script, which offers no real access control.
- A crafted request can cause the plugin to call wp_insert_user() with a hardcoded administrator role, generate a 'magic' login URL, and authenticate the attacker with wp_set_auth_cookie(), enabling full site takeover.
- Multiple security firms have observed active exploitation and blocked thousands of attempts in short windows, with reported 24‑hour block counts ranging from about 1,700 to more than 3,600 depending on the vendor.
- Site owners should update to WP Maps Pro 6.1.1 immediately or deactivate the plugin until they can patch because the plugin has over 15,000 installations and a successful takeover can install backdoors, inject malware, or steal data.