Wordfence has disclosed a vulnerability in the WP Go Maps WordPress plugin, which it reports is installed on more than 300,000 sites. The flaw allows authenticated users with subscriber-level accounts to change global map engine settings. The plugin developer has patched the issue in version 10.0.05.
Site owners using WP Go Maps are advised to update to version 10.0.05 or later to prevent low-privilege users from altering map configuration across their sites.
Key details on the WP Go Maps plugin issue
The WP Go Maps plugin displays customizable maps on WordPress pages and posts for local businesses and other site owners. Administrators can manage markers and map settings without writing code, which simplifies map management inside the WordPress dashboard.
- Wordfence reports that the plugin is installed on more than 300,000 WordPress sites.
- The vulnerability allows authenticated users with Subscriber-level access and above to modify global map engine settings.
- The issue arises from a missing capability check in the
processBackgroundAction()function. - Wordfence classifies the issue as unauthorized modification of data caused by missing authorization checks.
- According to the Wordfence advisory, the vulnerability affects all versions up to and including 10.0.04.
- The same advisory states that version 10.0.05 and later contain a patch for this issue.
- Published descriptions indicate that the flaw allows low-permission users to switch the map engine used across the entire site.
Background context
In WordPress, the Subscriber role is the lowest default permission level for registered users. Subscribers can typically manage their own profiles but cannot modify site settings or plugin configurations.
Wordfence's vulnerability database lists multiple prior issues affecting WP Go Maps. According to that database, four vulnerabilities in 2025 and seven vulnerabilities in 2024 were recorded. The same source documents earlier vulnerabilities for this plugin dating back to 2019.
Wordfence states that sites running affected versions with subscriber-level registration enabled are exposed to authenticated attackers. This exposure relates specifically to the ability of subscriber accounts to trigger the vulnerable function.
Wordfence is a security company that develops the Wordfence security plugin and maintains a public vulnerability database. The Wordfence advisory for WP Go Maps appears in that database within the WordPress plugin vulnerabilities section.
Search Engine Journal reported the current vulnerability in coverage by staff writer Roger Montti, summarizing the Wordfence findings and highlighting the impact on sites that allow subscriber-level registration.
.svg)
.svg)
.svg)