A critical vulnerability has been discovered in WP Maps Pro (versions ≤ 6.1.0) that allows unauthenticated attackers to create administrator accounts via the wpgmp_temp_access_ajax AJAX action.

This plugin security flaw enables privilege escalation without requiring login credentials, effectively allowing remote attackers to take full control of affected WordPress sites.

Site administrators using WP Maps Pro should assume immediate risk and update to a patched version without delay.

Affected Plugin

• Plugin: WP Maps Pro (WordPress Google Maps Plugin)
• Vulnerability Type: Unauthenticated Privilege Escalation
• Attack Vector: AJAX endpoint (wpgmp_temp_access_ajax)
• Affected Versions: ≤ 6.1.0
• Impact: Administrator account creation / full site takeover

Overview of the Vulnerability

The vulnerability exists in the wpgmp_temp_access_ajax AJAX action, which is exposed without proper authentication or capability checks.

In vulnerable <= 6.1.0 versions, this endpoint allows unauthenticated users to trigger logic that creates temporary access records. Due to insufficient validation of role assignment and user creation logic, attackers can manipulate this process to generate administrator-level accounts.

In effect, the endpoint trusts user-supplied input without enforcing strict authorization boundaries.

How the Exploit Works

A typical attack follows this pattern:

1. Attacker sends a crafted request to:

• admin-ajax.php?action=wpgmp_temp_access_ajax

1. The endpoint processes the request without authentication checks.
2. The attacker manipulates parameters related to:

• temporary access creation
• role assignment logic
• user provisioning flow

1. The system inadvertently creates a new WordPress user account.
2. The attacker assigns or escalates privileges to administrator level.
3. Full site takeover is achieved.

Why This Vulnerability Is Critical

This is not a simple data leak or XSS issue.

It is critical because:

• No authentication is required
• Administrator accounts can be created remotely
• Exploitation is trivial to automate
• Impact is immediate and complete

Once exploited, attackers gain:

• Full WordPress admin dashboard access
• Ability to install plugins/themes
• Ability to inject malware
• Control over content and users

Real-World Impact

If exploited, attackers may:

• Create hidden administrator accounts
• Install malicious plugins or backdoors
• Redirect website traffic to external domains
• Inject SEO spam or phishing content
• Maintain persistent access via cron jobs or modified files

In many cases, site owners only discover the compromise after search engine penalties or hosting suspension.

Exploitation Status

At the time of writing, public exploit scripts may already exist or emerge rapidly due to:

• low complexity of the vulnerability
• unauthenticated attack surface
• predictable endpoint structure

Historically, AJAX-based privilege escalation vulnerabilities are weaponized quickly after disclosure.

How to Fix WP Maps Pro Vulnerability

1. Update immediately

Upgrade WP Maps Pro to the latest patched version beyond 6.1.0.

2. Check for unauthorized admin users

Manually review:

• Users → Administrator accounts
• Unknown or recently created accounts

3. Inspect AJAX activity

Monitor requests to:

• admin-ajax.php?action=wpgmp_temp_access_ajax

Look for unusual or repeated access attempts.

4. Scan for compromise indicators

Check for:

• modified wp_options entries
• unknown plugins installed
• unexpected redirects
• new scheduled cron tasks

5. Harden WordPress access

• Enable MFA for admin accounts
• Restrict admin access by IP (if possible)
• Install a Web Application Firewall (WAF)
• Disable unused AJAX actions where possible

Compromise Indicators

You may already be compromised if you observe:

• Unknown administrator accounts
• Sudden changes in site content
• New plugins installed without authorization
• Suspicious outbound traffic from the server
• Unexpected changes in homepage or SEO metadata

Security Takeaway

This vulnerability highlights a recurring pattern in WordPress plugin security:

AJAX endpoints exposed without strict authentication checks can become full privilege escalation vectors.

Even seemingly harmless “temporary access” features can result in full site takeover when role validation is missing or improperly enforced.

Final Recommendation

If your site uses WP Maps Pro ≤ 6.1.0, treat this as a critical security incident.

Update immediately and audit your WordPress installation for signs of compromise.