This critical vulnerability allows any unauthenticated attacker to create a new administrator account, leading to full site takeover.

The plugin registers an unauthenticated AJAX action that, when provided with a publicly accessible nonce, allows the creation of a new administrator account and provides a login URL for immediate access.

With a CVSS score of 9.8, this vulnerability grants an attacker full administrative control over the WordPress instance. This allows for total data exposure, site defacement, and the installation of malicious plugins or backdoors, causing significant reputational and operational damage.

Immediate Action: Update the WP MAPS PRO plugin to version 6.1.1 or later immediately.

Proactive Monitoring: Review the user list in the WordPress dashboard for any unauthorized administrator accounts created recently.

Compensating Controls: Restrict access to the WordPress admin panel via IP whitelisting or multi-factor authentication (MFA) to prevent unauthorized use of the created accounts.

Public Exploit Available: Unknown

The ability to create an administrative account without authentication is a critical security failure. Administrators must update the plugin immediately and audit existing user accounts for signs of compromise.