A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. 

The issue impacted all WP Maps Pro versions up to 6.1.0. The plugin had more than 15,000 sales at the time the vulnerability was disclosed. 

The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026. Security researcher David Brown discovered and responsibly reported the flaw, earning a $1,950 bounty. 

Wordfence stated that attackers could exploit a vulnerable AJAX action to create administrator accounts without authentication. 
How the WP Maps Pro WordPress...