If your WordPress site uses the WP Go Maps plugin and you haven't updated it recently, check your version right now. A confirmed vulnerability in all versions up to and including 10.0.04 lets any logged-in user, even someone with just a basic subscriber account, tamper with your site's global map settings. A fix is available: version 10.0.05.
Key takeaways
- The WP Go Maps plugin vulnerability affects all versions up to and including 10.0.04, installed on over 300,000 websites.
- Attackers only need a subscriber-level account (the lowest WordPress permission level) to exploit it.
- The flaw is a missing capability check in the plugin's
processBackgroundAction()function. - Exploiting it lets an attacker change global map engine settings across your entire site.
- Update to version 10.0.05 or newer to fix the issue.
What is WP Go Maps?
WP Go Maps (formerly WP Google Maps) is a popular plugin that lets local businesses display customisable maps on their WordPress pages and posts, think contact page maps, delivery areas, and store locations. It's designed so site owners can manage map markers and settings without writing any code, which is why it's on over 300,000 sites.
The plugin has had a fair few security issues. In 2025 alone there have been four vulnerabilities, and seven were recorded in 2024, with further issues going back as far as 2019. That history is worth keeping in mind when you think about how closely you monitor plugin updates.
What exactly is the vulnerability?
The problem sits inside a function called processBackgroundAction(). Normally, WordPress plugins use capability checks to confirm whether a logged-in user actually has permission to do something before they do it. This function is missing that check entirely.
Because the check isn't there, any authenticated user, regardless of their role, can send requests to that function and have them processed. In practical terms, that means someone with a subscriber account, the most basic account type WordPress offers, can change the global map engine settings that apply across your whole site.
Wordfence, who published the security advisory, described it as "unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04."
These aren't minor per-page tweaks either. The settings affected are site-wide and control how the entire WP Go Maps plugin functions across every page it appears on.
Who is actually at risk?
Your site is exposed if two things are true at the same time:
- You're running WP Go Maps version 10.0.04 or earlier.
- Your site allows users to register with a subscriber-level account (or higher).
If your site is completely private, has no user registration, or only trusted people have accounts, the practical risk is lower. But if you have open registration, a membership area, a WooCommerce shop where customers create accounts, or anything similar, any one of those users could potentially exploit this flaw.
How to fix it
The fix is straightforward: update WP Go Maps to version 10.0.05 or newer. A patch has been released, so there's no reason to leave your site exposed.
To update:
- Log in to your WordPress dashboard.
- Go to Plugins > Installed Plugins.
- Find WP Go Maps in the list.
- If an update is available, click Update Now.
That's it. If you manage several WordPress sites, check each one individually, since auto-updates aren't always enabled on every installation.
Keeping plugins updated is one of the most effective things you can do for your site's security. If you'd rather not think about this stuff yourself, our website maintenance service covers plugin updates, security monitoring, and more, so nothing slips through the cracks.
Should you also review your user registration settings?
While you're in the dashboard, it's worth checking whether open user registration is actually necessary for your site. If you don't need it, turning it off removes a whole category of risk, not just for this vulnerability but for future ones too.
You'll find that setting under Settings > General > Membership, uncheck "Anyone can register" if you don't need public sign-ups.
If managing WordPress security feels like a distraction from running your business, our WordPress development and support team can help you put the right safeguards in place from the start.
Don't sit on this one
The WP Go Maps plugin vulnerability is real, it's patched, and the fix takes about thirty seconds. Update to version 10.0.05 now. If you're not sure which version your site is running, or you manage multiple WordPress sites and need a hand auditing them, get in touch with the team at IceBoxDesigns and we'll sort it out for you.
Frequently asked questions
Which versions of WP Go Maps are affected by this vulnerability?
All versions up to and including 10.0.04 are affected. You should update to version 10.0.05 or newer to fix the issue.
Does an attacker need admin access to exploit this flaw?
No. The vulnerability can be exploited by anyone with a subscriber-level account, which is the lowest WordPress permission level. They just need to be logged in.
What can an attacker actually do if they exploit this vulnerability?
They can modify the global map engine settings used by the WP Go Maps plugin. These settings apply across your entire site and affect how the plugin behaves on every page it's used on.
My site has open user registration. Are we definitely at risk?
If you're running WP Go Maps version 10.0.04 or earlier and users can register with at least a subscriber account, yes, you're exposed. Update the plugin to 10.0.05 immediately, and consider whether open registration is necessary for your site.
Related services
Need a hand with this? Here's how IceBoxDesigns can help.