A newly disclosed security vulnerability in the WP Go Maps plugin for WordPress could affect more than 300,000 websites, allowing low-privileged users to alter critical plugin settings.
The issue enables authenticated users with Subscriber-level access to modify global map engine configurations, a capability that should be restricted to administrators.
Widely used mapping plugin
WP Go Maps is commonly used by local businesses and organizations to embed interactive maps on WordPress sites. Typical use cases include contact pages, store locator maps, service areas, and delivery zones. The plugin allows site owners to manage markers and map behavior without custom development.
The plugin has seen recurring security issues in recent years. Multiple vulnerabilities were reported in both 2024 and 2025, though the frequency of disclosures has varied over time.
Missing permission check at the core
The vulnerability stems from a missing capability check in the plugin’s processBackgroundAction() function. In WordPress, capability checks are used to ensure that only users with appropriate permissions can perform sensitive actions.
Because this validation is absent, the function accepts requests from users who are logged in but lack administrative privileges. As a result, any authenticated user with Subscriber-level access or higher can change global map engine settings used across the site.
These settings determine how maps are rendered and which mapping services are used, meaning unauthorized changes can affect the plugin’s behavior site-wide.
Conditions for exploitation
The flaw can only be exploited on sites that allow user registration and assign Subscriber roles to users. While Subscriber is the lowest standard WordPress role, many sites enable it for comments, memberships, or gated content, increasing exposure.
Security researchers classify the issue as an unauthorized modification of data vulnerability, reflecting the ability of low-privilege users to alter configuration settings beyond their intended scope.
Patch available
The vulnerability affects all versions of WP Go Maps up to and including version 10.0.04. The issue has been addressed in version 10.0.05, which restores proper permission checks.
Site owners using WP Go Maps are advised to update to the latest version as soon as possible. Websites that cannot update immediately should review user registration settings and limit Subscriber access where feasible until the patch is applied.
As with many WordPress plugin vulnerabilities, timely updates remain the most effective mitigation.
