Bleepingcomputer
Critical WP Maps Pro Vulnerability Exposes 15,000 WordPress Sites to Admin Takeover
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts on affected sites. The flaw affects all versions up to 6.1.0 and was discovered by researcher David Brown, who reported it on March 24, 2026. Exploitation is possible through a publicly accessible AJAX action that does not require authentication, enabling attackers to generate passwordless login URLs. Over 15,800 sales of the plugin have been recorded, with more than 3,600 attack attempts blocked in a single day. A patch (version 6.1.1) was released on May 20, 2026, to mitigate the issue, but malicious activity has already been observed. Website administrators are urged to update their plugins immediately to prevent exploitation.
Key Points: • CVE-2026-8732 allows unauthenticated admin account creation on vulnerable WordPress sites. • The vulnerability affects all WP Maps Pro versions up to 6.1.0, with over 15,800 sales recorded. • A patch was released on May 20, 2026, but exploitation attempts are already underway.