WP Go Maps Plugin Flaw Affects 300K WordPress Sites

A significant security vulnerability has been identified in the WP Go Maps WordPress plugin, impacting an estimated 300,000 websites. This critical flaw allows authenticated attackers, even those with the lowest Subscriber-level access, to modify global map engine settings, potentially disrupting how maps function across a site. Site owners are urged to update their plugin immediately to patch this serious security risk.

About the WP Go Maps Plugin

The WP Go Maps plugin is widely used by WordPress sites, particularly local businesses, to embed customizable maps on their pages and posts. These maps are essential for displaying contact locations, defining delivery areas, or highlighting store branches, allowing site owners to manage markers and settings without requiring coding expertise.

Understanding the Vulnerability

The core of the vulnerability lies in a missing capability check within the plugin’s processBackgroundAction() function. In WordPress security, capability checks are vital for verifying that a logged-in user has the necessary permissions to perform a specific action. Because this check is absent, the function inadvertently processes requests from users who should not have the authority to alter plugin settings.

Consequently, an authenticated attacker with even basic Subscriber-level credentials can exploit this flaw to modify global map engine settings. These settings are site-wide, meaning any changes would affect the plugin’s functionality across the entire website. Wordfence, a leading WordPress security firm, described this as an unauthorized modification of data, allowing low-privileged users to manipulate critical settings typically reserved for administrators.

The official Wordfence advisory provides further detail, stating: “The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings.”

History of Vulnerabilities

While the WP Go Maps plugin is a popular tool, it has faced security challenges in the past. The plugin has a history of vulnerabilities, with several reported in recent years stretching back to 2019, including multiple flaws identified in 2024 and others in prior years.

Affected Versions and Solution

This vulnerability impacts all versions of the WP Go Maps plugin up to and including 10.0.04. Any website running an affected version with subscriber registration enabled is at risk. Fortunately, a patch has been released. Site owners are strongly advised to update their WP Go Maps plugin to version 10.0.05 or newer immediately to secure their sites against this flaw.