Hackers have targeted WordPress websites that use a vulnerable version of the WP Maps Pro plugin, which allows creating rogue admin accounts without authentication.
The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and affects WP Maps Pro versions 6.1.0 and higher. Discovered and reported by security researcher David Brown.
WP Maps Pro is a premium WordPress plugin for creating interactive, customizable maps and store locations. It supports many map providers, such as Google Maps and OpenStreetMap.
The plugin is often used by businesses, home websites, travel sites, directories, and organizations that need to display multiple locations on a map, and has over 15,800 sales on the Envato Marketplace.
The CVE-2026-8732 vulnerability is caused by a “temporary access” feature in the plugin, which is intended to allow vendor support staff to access customer sites to troubleshoot an issue.
Brown discovered that the AJAX endpoint used for this feature was accessible to unauthorized users and relied only on publicly exposed JavaScript front-end invisible tests, rendering the protection ineffective.
This allows sending a specially crafted request that triggers the code to create a new WordPress user, assign the administrator role, generate a password-free login URL, and send it to the remote system.
When an attacker visits this URL, they are automatically authenticated to the newly created administrator account, with no password or other authentication required.
Researchers at WordPress security firm Defiant have observed that threat actors are attempting to exploit the vulnerability, and have blocked more than 3,600 attempts in the past 24 hours.
Source: Wordfence
“When a request is made with the check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with a hard-coded admin role, a randomly generated username, and a hard-coded email address support@flippercode.com,” the researchers explained.
“The function then generates a “magical login URL” using generative_login_link(), stores it as user meta, and returns it to the response body.”
Gaining administrator-level access to a site means attackers can inject persistent ports, modify content, access confidential data, launch web shells, install malicious plugins, and take control of the website.
Brown reported the error to Wordfence on March 24, and the seller was notified on May 16 after confirming the exploit.
On May 20, WP Maps Pro 6.1.1 was released with a fix for CVE-2026-8732. Website administrators are recommended to update their plugins immediately, as malicious activity has been detected.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
