Cybercriminals are focusing on WordPress sites that have an outdated version of the WP Maps Pro plugin. This vulnerability allows them to generate unauthorized administrator accounts.
The security flaw, identified as CVE-2026-8732, is deemed critical and affects WP Maps Pro versions 6.1.0 and earlier. The issue was brought to light by security analyst David Brown.
WP Maps Pro is a premium plugin for WordPress that facilitates the creation of interactive maps and store locators. It offers support for various map providers including Google Maps and OpenStreetMap.
Primarily utilized by businesses, real estate platforms, travel websites, directories, and organizations requiring multi-location map displays, WP Maps Pro has garnered over 15,800 sales on the Envato Market.
The vulnerability (CVE-2026-8732) stems from a “temporary access” function within the plugin designed to permit vendor support personnel to troubleshoot customer sites.
Brown discovered that the AJAX endpoint associated with this function could be accessed by unauthenticated users. The protection mechanism solely relied on a publicly available nonce check in frontend JavaScript, rendering it ineffective.
Exploiting this flaw enables attackers to send a customized request triggering the creation of a new WordPress user with administrator privileges. Subsequently, a passwordless login URL is generated and relayed to an external system.
By visiting this URL, the attacker gains automatic access to the newly established administrator account without the need for a password or any additional verification.
Security experts at WordPress firm Defiant noted multiple attempts by threat actors to exploit this vulnerability, with over 3,600 thwarted attacks in the past 24 hours.
When the request includes a check_temp parameter set to false, the function generates a new WordPress user using wp_insert_user() with an administrator role, a randomly generated username, and the email address support@flippercode.com,” explained the researchers.
Furthermore, the function creates a “magic login URL” via generate_login_link(), stores it as user meta, and includes it in the response body.
With administrator-level access, attackers can implant persistent backdoors, alter content, access private data, deploy web shells, install malicious plugins, and assume control of the website.
Brown notified Wordfence about the flaw on March 24, and the vendor was informed on May 16 after validating the exploit.
On May 20, WP Maps Pro 6.1.1 was launched with a fix for CVE-2026-8732. Website admins are advised to promptly update their plugins as malicious activities have already been detected.
Automated pentesting tools provide tangible benefits but are designed to address one key question: can an attacker navigate through the network? They are not tailored to assess whether your controls thwart threats, your detection rules trigger, or your cloud configurations remain secure.
This comprehensive guide outlines the 6 surfaces that necessitate validation.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
