WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover

The report details a critical unauthenticated privilege-escalation vulnerability in the WP Maps Pro WordPress plugin (<= 6.1.0) that let attackers create administrator accounts via a vulnerable AJAX action (exposed nonce and wp_ajax_nopriv_). Successful exploitation enabled full site takeover (install plugins, backdoors, webshells, data theft). Wordfence validated the exploit, deployed mitigation rules, and the vendor released a fix in version 6.1.1 that restricts the endpoint to administrators.