Back

Critical WP Maps Pro Vulnerability Exposes 15,000 WordPress Sites to Admin Takeover

Severity: High (Score: 74.0)

Sources: www.wordfence.com, Bleepingcomputer, Thecyberexpress, Securityaffairs.Co

Published: 2026-05-31 · Updated: 2026-06-01

Keywords: maps, wordpress, accounts, vulnerability, create, sites, site

Severity indicators: vulnerability, bug

Summary

A critical vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts on affected sites. The flaw affects all versions up to 6.1.0 and was discovered by researcher David Brown, who reported it on March 24, 2026. Exploitation is possible through a publicly accessible AJAX action that does not require authentication, enabling attackers to generate passwordless login URLs. Over 15,800 sales of the plugin have been recorded, with more than 3,600 attack attempts blocked in a single day. A patch (version 6.1.1) was released on May 20, 2026, to mitigate the issue, but malicious activity has already been observed. Website administrators are urged to update their plugins immediately to prevent exploitation. Key Points: • CVE-2026-8732 allows unauthenticated admin account creation on vulnerable WordPress sites. • The vulnerability affects all WP Maps Pro versions up to 6.1.0, with over 15,800 sales recorded. • A patch was released on May 20, 2026, but exploitation attempts are already underway.

Detailed Analysis

**Impact** Over 15,000 WordPress sites using WP Maps Pro versions up to 6.1.0 are affected worldwide, including businesses, real estate, travel, and directory sectors that rely on interactive maps and store locators. Exploitation enables unauthenticated attackers to create administrator accounts, leading to full site takeover risks such as unauthorized content modification, data theft, backdoor installation, and deployment of web shells. At least 3,600 exploitation attempts were blocked in a 24-hour period, indicating active targeting. **Technical Details** The vulnerability (CVE-2026-8732) exploits a flaw in the plugin’s AJAX endpoint for a “temporary access” feature, which is accessible without authentication and protected only by a publicly exposed nonce. Attackers send a crafted request with `check_temp=false` to trigger creation of a new admin user with a randomly generated username and a hardcoded email ([email protected]). A passwordless login URL is generated and returned, allowing immediate administrator authentication via `wp_set_auth_cookie()`. The flaw exists in the `wpgmp_temp_access_ajax_callback()` function and was actively exploited in the wild. **Recommended Response** Immediately update WP Maps Pro to version 6.1.1 or later, which adds a capability check restricting the vulnerable AJAX endpoint to authenticated administrators only. Deploy web application firewall (WAF) rules to block exploitation attempts targeting the AJAX action. Monitor for creation of WordPress users with usernames beginning with `fc_user_` or the hardcoded email `[email protected]`. Review logs for suspicious login URLs and unauthorized administrator account activity.

Source articles (4)

  • WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover — Thecyberexpress · 2026-05-29
    A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. T…
  • WP Maps Pro bug exploited to create admin accounts on WordPress sites — Bleepingcomputer · 2026-05-31
    Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. The vulnerability, tracked a…
  • CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password — Securityaffairs.Co · 2026-06-01
    CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create WordPress admin accounts. 2,858 attacks blocked in 24 hours. WP Maps Pro plugin allows WordPress site owners to embed Google Maps and…
  • 15000 Wordpress Sites Affected By Administrator Account Creation Vulnerability In Wp Maps Pro Wordpress Plugin — www.wordfence.com · 2026-05-31

Timeline

  • 2026-03-24 — Vulnerability reported to Wordfence: Security researcher David Brown disclosed the WP Maps Pro vulnerability to Wordfence.
  • 2026-05-16 — Exploit validated and escalated: Wordfence validated the exploit and escalated the issue to the Envato security team.
  • 2026-05-18 — Firewall protection implemented: Wordfence Premium, Care, and Response users received firewall protection against the vulnerability.
  • 2026-05-20 — Patch released for WP Maps Pro: Version 6.1.1 was released, fixing the vulnerability by adding a capability check.
  • 2026-05-29 — CVE-2026-8732 published: CVE-2026-8732 was published, detailing the vulnerability in WP Maps Pro.
  • 2026-05-30 — First public PoC released: The first proof of concept for CVE-2026-8732 was made public, demonstrating the exploit.
  • 2026-05-31 — Active exploitation reported: Researchers reported over 3,600 attempts to exploit the vulnerability within 24 hours.

CVEs

  • CVE-2026-8732

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • flippercode.com (Domain)
  • location.it (Domain)
  • [email protected] (Email)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • Google Maps (Platform)
  • OpenStreetMap (Platform)
  • WordPress (Platform)
  • WP Maps Pro (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed