If you use WP Maps Pro, treat this as urgent. The flaw lets an attacker create a new administrator account, which gives them full control of your site.
WP Maps Pro can let attackers create admin accounts
Wordfence reported an unauthenticated administrator account creation flaw in WP Maps Pro. Unauthenticated means the attacker does not need to log in first. If they exploit it, they can add their own admin user and take over the site.
This affects sites that run the WP Maps Pro plugin before the patched release. Wordfence says the fix shipped in version 6.1.1, and it estimates more than 15,000 sites use the plugin. If your site runs WP Maps Pro and you have not updated to 6.1.1, assume you are exposed.
Update WP Maps Pro to version 6.1.1 now. After that, check your Users list for any administrator account you did not create, remove anything suspicious, and change passwords for all admin users. If you run Wordfence, note that Premium, Care, and Response users got a firewall rule on May 18, 2026, while free users do not get the same rule until June 17, 2026. That delay matters, so do not wait for firewall coverage if you use the free version.
End of article