Critical WP Maps Pro Vulnerability Actively Exploited in the Wild

A critical zero-day in the WP Maps Pro WordPress plugin lets unauthenticated actors create rogue administrator accounts via a support callback endpoint lacking a capability check; attackers receive a secret login URL that authenticates them without a password. Wordfence telemetry indicates active mass exploitation (2,514 blocked attacks in 24 hours); the vendor released an update (6.1.1+) to add proper capability checks and mitigate the issue.