WP Go Maps Bug Affects 300,000 Websites

A newly discovered security weakness has been found in the WP Go Maps plugin for WordPress, which could place thousands of websites at risk. The flaw allows users with very low permission levels to change important map settings that should normally only be managed by administrators.

The WP Go Maps plugin is installed on more than 300,000 WordPress websites worldwide. Because of its popularity, any vulnerability within the plugin has the potential to affect a large number of businesses and organisations that rely on it to display maps on their sites.

WP Go Maps is commonly used by local businesses to show store locations, delivery areas, and contact page maps. It helps website owners present visual directions and location markers without needing advanced technical knowledge or coding skills.

The plugin allows users to customise maps, add multiple markers, and choose different map engines. This makes it especially useful for restaurants, shops, service providers, and other businesses that depend on location-based information for customers.

Despite its usefulness, the plugin has had a mixed history when it comes to security. In 2024 alone, seven vulnerabilities were reported, while four more were identified in 2025. Earlier issues also appeared in previous years, dating back as far as 2019, though not as frequently.

The latest vulnerability can only be exploited by users who are logged into the website with Subscriber-level access or higher. The Subscriber role is the lowest permission level in WordPress and is often given to users who register for newsletters, comments, or basic site access.

This means that if a website allows visitors to create accounts, attackers may be able to take advantage of this flaw using only a basic login. They do not need administrator or editor privileges to carry out the attack.

The problem comes from a missing security check inside the plugin’s processBackgroundAction() function. In WordPress, a capability check is normally used to confirm whether a user is allowed to perform sensitive actions, such as changing settings or modifying data.

Because this check is missing, the plugin accepts commands from users who should not have permission to control map engine settings. This creates an opening for misuse by low-level users.

As a result, attackers can change the global map engine used by the plugin. These settings apply across the entire website and can affect how maps are displayed on all pages where WP Go Maps is active.

Security experts at Wordfence described the issue as an unauthorised modification of data. In practical terms, this means the plugin allows users without proper authority to change information that should be restricted to site administrators.

Although this vulnerability does not allow full control of a website, it still presents a serious concern. Altering map settings could disrupt business operations, confuse visitors, or interfere with how a site presents location information.

Any website running a vulnerable version of the plugin and allowing subscriber-level accounts is exposed to this risk. The vulnerability affects all versions of WP Go Maps up to and including version 10.0.04.

No special server setup or advanced tools are required to exploit the issue. As long as the attacker has a basic account and the vulnerable plugin version is active, the flaw can potentially be used.

This situation highlights the importance of regularly reviewing user permissions and limiting registration features where possible. Websites that do not require user accounts may face less risk from this specific issue.

Fortunately, the developers of WP Go Maps have already released a fix. The vulnerability has been patched in version 10.0.05 of the plugin.

Website owners are strongly advised to update to version 10.0.05 or later as soon as possible. Applying updates promptly is one of the most effective ways to protect WordPress sites from known security threats.

If updating is not immediately possible, site owners may consider temporarily disabling the plugin or restricting user registration until the update can be applied. This can reduce the chance of the vulnerability being exploited.

This incident also serves as a reminder that even widely used and trusted plugins can develop security flaws over time. Regular maintenance, plugin updates, and security monitoring are essential to keeping WordPress websites safe and reliable.