Back

Critical WP Maps Pro Vulnerability Allows Site Takeover on 15,000 WordPress Sites

Severity: High (Score: 72.0)

Sources: Bleepingcomputer, Thecyberexpress, www.wordfence.com

Published: 2026-05-31 · Updated: 2026-05-31

Keywords: maps, wordpress, accounts, vulnerability, create, sites, site

Severity indicators: vulnerability, bug

Summary

A critical vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732, has exposed over 15,000 websites to unauthorized administrator account creation. Discovered by security researcher David Brown, the flaw allows unauthenticated attackers to exploit a vulnerable AJAX action, creating rogue admin accounts without authentication. The vulnerability affects all WP Maps Pro versions up to 6.1.0, with a patch released on May 20, 2026. Attackers can inject backdoors, modify content, and take over affected sites. Wordfence reported over 3,600 exploitation attempts within 24 hours of the vulnerability's disclosure. Website administrators are urged to update to version 6.1.1 immediately to mitigate risks. Key Points: • CVE-2026-8732 allows unauthenticated attackers to create admin accounts on WordPress sites. • The vulnerability affects all WP Maps Pro versions up to 6.1.0, with over 15,000 sites impacted. • A patch was released on May 20, 2026, and administrators are urged to update immediately.

Detailed Analysis

**Impact** Over 15,000 WordPress sites using WP Maps Pro versions up to 6.1.0 are affected, including businesses, real estate, travel, directories, and organizations relying on interactive maps. The vulnerability enables unauthenticated attackers to create administrator accounts, leading to full site takeover risks such as content modification, data theft, and deployment of backdoors or web shells. Observed exploitation attempts exceed 3,600 within 24 hours, indicating active targeting. **Technical Details** The vulnerability (CVE-2026-8732) exploits a temporary access AJAX endpoint in WP Maps Pro that lacks proper capability checks and relies on a publicly exposed nonce. Attackers trigger the wpgmp_temp_access_ajax_callback() function with a crafted request (check_temp=false), creating an admin user with a hardcoded email ([email protected]) and a randomly generated username, then receive a passwordless login URL enabling immediate authentication. Exploitation occurs at the initial access and persistence stages of the kill chain, allowing installation of malicious plugins, backdoors, and web shells. **Recommended Response** Immediately update WP Maps Pro to version 6.1.1 or later, which restricts the AJAX endpoint to authenticated administrators via capability checks. Deploy firewall rules blocking unauthenticated access to the vulnerable AJAX action and monitor for creation of admin accounts with usernames starting with "fc_user_" or email [email protected]. Investigate and remediate any unauthorized administrator accounts or suspicious login URLs.

Source articles (3)

  • WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover — Thecyberexpress · 2026-05-29
    A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. T…
  • WP Maps Pro bug exploited to create admin accounts on WordPress sites — Bleepingcomputer · 2026-05-31
    Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. The vulnerability, tracked a…
  • 15000 Wordpress Sites Affected By Administrator Account Creation Vulnerability In Wp Maps Pro Wordpress Plugin — www.wordfence.com · 2026-05-31

Timeline

  • 2026-03-24 — Vulnerability reported to Wordfence: Security researcher David Brown disclosed the WP Maps Pro vulnerability to Wordfence.
  • 2026-05-16 — Exploit validated and escalated: Wordfence validated the exploit and escalated the issue to the Envato security team.
  • 2026-05-20 — Patch released for WP Maps Pro: Version 6.1.1 was released to fix the critical vulnerability CVE-2026-8732.
  • 2026-05-29 — CVE-2026-8732 published: The vulnerability was officially published, detailing its critical severity and impact.
  • 2026-05-30 — First public PoC released: The first proof of concept for exploiting CVE-2026-8732 was made public.

CVEs

  • CVE-2026-8732

Related entities

  • Data Breach (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • flippercode.com (Domain)
  • [email protected] (Email)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • Google Maps (Platform)
  • OpenStreetMap (Platform)
  • WordPress (Platform)
  • WP Maps Pro (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed