According to Roger Montti’s article, “WP Go Maps Plugin Vulnerability Affects Up To 300K WordPress Sites,” published on Search Engine Journal, a security flaw has been identified in the WP Go Maps WordPress plugin that could impact as many as 300,000 websites.
Vulnerability Overview
Montti reports that the flaw allows authenticated users with Subscriber-level access or higher to modify global map engine settings within the WP Go Maps plugin. While the issue does not allow unauthenticated attacks, the Subscriber role is the lowest permission level in WordPress, meaning the vulnerability can be exploited on sites that enable user registration.
WP Go Maps is commonly used by local businesses to display interactive maps of store locations, service areas, and contact pages, making configuration integrity critical to site functionality and reliability.
Root Cause
The vulnerability is caused by a missing capability check in the plugin’s processBackgroundAction() function. Because the function does not verify whether a logged-in user is authorized to change settings, it processes requests from users who should not have that level of access.
According to Wordfence, this results in unauthorized data modification, allowing low-privilege users to alter site-wide map engine settings that should be restricted to administrators.
Scope and Context
Montti notes that WP Go Maps has seen an increase in reported vulnerabilities in recent years, with 4 disclosed in 2025 and 7 in 2024, compared to fewer reports in earlier years.
The issue affects all versions up to and including 10.0.04. Any site running a vulnerable version with Subscriber-level access enabled is potentially exposed.
Patch and Recommendations
The vulnerability has been fixed in version 10.0.05 of the plugin. Site owners are advised to update to the patched version immediately. For sites that allow public user registration, prompt updates are essential to prevent unauthorized configuration changes.
As Montti’s reporting highlights, even vulnerabilities that do not allow a full site takeover can still pose operational and security risks when low-privilege users can modify global plugin settings.