01.06.2026
4 min
125
Cybercriminals have begun actively exploiting a critical vulnerability in the popular WordPress plugin WP Maps Pro, allowing them to create administrator accounts without authentication and completely take over affected websites. Security researchers have already recorded thousands of exploitation attempts within the past 24 hours alone.
The vulnerability, tracked as CVE-2026-8732, has been assigned a CVSS score of 9.8 and affects all versions of WP Maps Pro up to and including 6.1.0. The plugin is widely used to build interactive maps, business directories, and location search services powered by Google Maps and OpenStreetMap. According to the developers, the product has recorded more than 15,000 sales on Envato Market.
The flaw was discovered by security researcher David Brown. It stems from a temporary access feature designed to allow technical support staff to connect to customer websites while troubleshooting issues. Researchers found that this functionality could be triggered without any authentication checks.
Due to an insecure implementation of an AJAX handler, an attacker could send a specially crafted request and force the plugin to automatically create a new WordPress user with administrator privileges. The system would then generate a passwordless login link, instantly granting the attacker administrative access to the site.
Researchers at Wordfence explained that the issue was caused by the use of a nonce token that was exposed on all frontend pages, effectively rendering it useless as a security control.
“This makes it possible for unauthenticated attackers to invoke the handler with
check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator.”
Once attackers gain administrative access, they can install malicious plugins, deploy backdoors, upload web shells, modify website content, or completely take over the affected site.
The situation is made even more serious by the fact that the vulnerability is already being exploited in the wild. According to Wordfence, its systems blocked more than 2,858 exploitation attempts within the last 24 hours alone, while other researchers reported observing over 3,600 attacks targeting vulnerable websites.
The developers addressed the issue on May 20 with the release of WP Maps Pro 6.1.1. The patch introduces proper authorization checks and restricts the vulnerable functionality so that it can only be used by authenticated administrators.
Wordfence said it originally received a report about the vulnerability through its Bug Bounty Program on March 24, 2026. Because there was no direct security contact for the plugin developers, researchers had to coordinate disclosure through Envato’s security team. After verifying the issue, the vendor developed a fix and released version 6.1.1.
WordPress site owners are strongly urged to verify their WP Maps Pro version and update to the latest release immediately. Given the active exploitation of this vulnerability, delaying the update could result in a complete compromise of the website.
