Overview
- Security researcher David Brown reported the bug and the plugin maker fixed it in version 6.1.1 released on May 20, 2026.
- The flaw let anyone call a support AJAX endpoint to create a new user with the administrator role and receive a magic login URL that logs them in without a password.
- Security firms have observed active exploitation and blocked thousands of attempts, with Wordfence reporting about 2,858 blocks and Defiant reporting more than 3,600 blocks in recent 24-hour windows.
- Site owners running WP Maps Pro versions 6.1.0 and earlier should update to 6.1.1 immediately, search user lists for unfamiliar admin accounts, remove any rogue admins, rotate credentials, and scan for backdoors or malicious plugins.
- The root cause was using a frontend-embedded nonce as the only gate for a wp_ajax_nopriv_ endpoint, which is ineffective as an access control and let the temporary-access support feature be abused at scale.