WP Maps Pro Vulnerability Is Being Actively Exploited Right Now

Attackers aren't waiting for you to patch this one. They're already using a flaw in WP Maps Pro to create administrator accounts on WordPress sites — meaning someone you've never heard of could have full control of your site right now.

This article is based on information available as of 1 June 2026.

What's Actually Happening

There's not much official detail confirmed from the source material yet — the article from BleepingComputer was inaccessible at time of writing. Here's what is actually confirmed from the alert itself.

The plugin is called WP Maps Pro. According to the alert flagged on 1 June 2026, a bug in this plugin is being actively exploited — not just discovered in a lab, but used in real attacks against live WordPress sites right now. The specific exploit allows attackers to create new administrator accounts without logging in first.

An administrator account (in plain terms: the highest level of access on a WordPress site) lets someone install plugins, delete content, change passwords, redirect your visitors, or hand your site over to a spam network. You wouldn't necessarily notice anything had changed. That's what makes this type of attack particularly nasty.

We could not confirm the exact version numbers affected, the CVE identifier (that's the official code security researchers use to track a specific flaw), or the total number of sites running WP Maps Pro — the full article was unavailable. We'll update this post as more detail emerges.

Who Should Be Worried Right Now

Do you, or does any client of yours, have WP Maps Pro installed? Check now. Don't wait until Monday.

If you're a freelance developer or agency managing client sites, this is the kind of thing you find out about when the client rings you to say their homepage is selling something they didn't list. By then, the attacker has had days to dig in.

WP Maps Pro is a premium plugin — which means it won't appear in the standard WordPress plugin search unless you've paid for it. It also means automatic update notifications can be easy to miss if the licence has lapsed.

What to Do Right Now

No patch details are publicly confirmed yet. That said, here's what you can do immediately:

1. Check if it's installed. Go to your WordPress dashboard → Plugins → search for WP Maps Pro. If it's there, treat it as a risk until a patch is confirmed.

1. Check your admin accounts. Go to Users → All Users → filter by Administrator. Do you recognise every single account? If there's one you don't recognise, remove it immediately and change your admin password.

1. Temporarily deactivate the plugin if you can afford to lose the map functionality while you wait for a verified fix. Deactivating a plugin removes its ability to run code — which cuts off the attack route.

1. Check your site's access logs if your host gives you access to them. Look for unusual POST requests around plugin files. (If you don't know how to do this, ask your host's support team.)

1. Update immediately once a patched version is confirmed. Don't sit on it.

Fair point — some of this requires a bit of technical help. If you're managing client sites solo, now's a good time to loop in a developer for even a 30-minute audit.

Can Uptrue Detect This?

Not directly — Uptrue isn't a security scanner. It won't spot a rogue admin account being created.

But here's what it will catch: the side effects. Sites that get compromised through vulnerabilities like this often end up redirecting visitors, throwing errors, or going offline as attackers modify core files. Uptrue monitors your site's uptime and response in real time, so if your site suddenly starts returning errors or goes dark, you'll know within minutes — not when a client calls you.

If you're managing multiple client sites and you're not monitoring them, Uptrue's tracker is worth a look. Right now it's watching 439 sites, and 91 of those are showing degraded performance today. That's the kind of thing you want to know before your client does.

FAQ

What is WP Maps Pro? WP Maps Pro is a premium WordPress plugin that lets you add custom, interactive maps to your site — typically used by businesses to show store locations or event venues.

How do I know if my WordPress site has been compromised through this bug? Go to your WordPress dashboard, click Users, then All Users, and look for any administrator accounts you don't recognise. An unfamiliar admin account is the clearest sign of this specific type of attack.

What does it mean when attackers create an admin account on my WordPress site? It means they have the same level of access as you — they can install or delete plugins, change your content, lock you out, or use your site to send spam or host malicious files.

Should I disable WP Maps Pro right now? If you can temporarily lose the map feature on your site, yes — deactivating the plugin removes the attack route while you wait for a confirmed, patched version. Re-enable it once a fix is verified.

Will updating WordPress itself fix this? No. This is a plugin-level vulnerability, not a WordPress core issue. Updating WordPress won't help here — you need to update or deactivate WP Maps Pro specifically.

Sources

1. WP Maps Pro bug exploited to create admin accounts — BleepingComputer (paywalled/redirected at time of writing)
2. Uptrue — website uptime monitoring
3. Uptrue live tracker