Critical WP Maps Pro Vulnerability Exposes 15,000 WordPress Sites to Admin Takeover

Critical WP Maps Pro Vulnerability Exposes 15,000 WordPress Sites to Admin Takeover

First seen 31 May 2026, 14:48 UTC ThecyberexpressBleepingcomputerSecurityaffairs.CoTechlomedia.InThenextweb+12 88% similarity 74.0

Article Content

Browse articles
ThreatCluster

A critical vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts on affected sites. The flaw affects all versions up to 6.1.0 and was discovered by researcher David Brown, who reported it on March 24, 2026. Exploitation is possible through a publicly accessible AJAX action that does not require authentication, enabling attackers to generate passwordless login URLs. Over 15,800 sales of the plugin have been recorded, with more than 3,600 attack attempts blocked in a single day. A patch (version 6.1.1) was released on May 20, 2026, to mitigate the issue, but malicious activity has already been observed. Website administrators are urged to update their plugins immediately to prevent exploitation.

Key Points: • CVE-2026-8732 allows unauthenticated admin account creation on vulnerable WordPress sites. • The vulnerability affects all WP Maps Pro versions up to 6.1.0, with over 15,800 sales recorded. • A patch was released on May 20, 2026, but exploitation attempts are already underway.

ThreatCluster AI

Timeline

2026-03-24
Vulnerability reported to Wordfence
Security researcher David Brown disclosed the WP Maps Pro vulnerability to Wordfence.
Thecyberexpress
2026-05-16
Exploit validated and escalated
Wordfence validated the exploit and escalated the issue to the Envato security team.
Thecyberexpress
2026-05-18
Firewall protection implemented
Wordfence Premium, Care, and Response users received firewall protection against the vulnerability.
Thecyberexpress
2026-05-20
Patch released for WP Maps Pro
Version 6.1.1 was released, fixing the vulnerability by adding a capability check.
Thecyberexpress
2026-05-29
CVE-2026-8732 published
CVE-2026-8732 was published, detailing the vulnerability in WP Maps Pro.
Bleepingcomputer
2026-05-30
First public PoC released
The first proof of concept for CVE-2026-8732 was made public, demonstrating the exploit.
Securityaffairs.Co
2026-05-31
Active exploitation reported
Researchers reported over 3,600 attempts to exploit the vulnerability within 24 hours.
Bleepingcomputer

Community

Browse all →