Critical WP Maps Pro Vulnerability Exposes 15,000 WordPress Sites to Admin Takeover
Severity: High (Score: 74.0)
Sources: thehackernews.com, Securityaffairs.Co, www.wordfence.com, Cybersecuritynews, Bleepingcomputer
Published: · Updated:
Keywords: maps, wordpress, accounts, vulnerability, create, sites, site
Severity indicators: vulnerability, bug
Summary
A critical vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts on affected sites. The flaw affects all versions up to 6.1.0 and was discovered by researcher David Brown, who reported it on March 24, 2026. Exploitation is possible through a publicly accessible AJAX action that does not require authentication, enabling attackers to generate passwordless login URLs. Over 15,800 sales of the plugin have been recorded, with more than 3,600 attack attempts blocked in a single day. A patch (version 6.1.1) was released on May 20, 2026, to mitigate the issue, but malicious activity has already been observed. Website administrators are urged to update their plugins immediately to prevent exploitation. Key Points: • CVE-2026-8732 allows unauthenticated admin account creation on vulnerable WordPress sites. • The vulnerability affects all WP Maps Pro versions up to 6.1.0, with over 15,800 sales recorded. • A patch was released on May 20, 2026, but exploitation attempts are already underway.
Detailed Analysis
**Impact** Over 15,000 WordPress sites using WP Maps Pro versions up to 6.1.0 are affected worldwide, including businesses, real estate, travel, and directory sectors that rely on interactive maps and store locators. Exploitation enables unauthenticated attackers to create administrator accounts, leading to full site takeover risks such as unauthorized content modification, data theft, backdoor installation, and deployment of web shells. At least 3,600 exploitation attempts were blocked in a 24-hour period, indicating active targeting. **Technical Details** The vulnerability (CVE-2026-8732) exploits a flaw in the plugin’s AJAX endpoint for a “temporary access” feature, which is accessible without authentication and protected only by a publicly exposed nonce. Attackers send a crafted request with `check_temp=false` to trigger creation of a new admin user with a randomly generated username and a hardcoded email ([email protected]). A passwordless login URL is generated and returned, allowing immediate administrator authentication via `wp_set_auth_cookie()`. The flaw exists in the `wpgmp_temp_access_ajax_callback()` function and was actively exploited in the wild. **Recommended Response** Immediately update WP Maps Pro to version 6.1.1 or later, which adds a capability check restricting the vulnerable AJAX endpoint to authenticated administrators only. Deploy web application firewall (WAF) rules to block exploitation attempts targeting the AJAX action. Monitor for creation of WordPress users with usernames beginning with `fc_user_` or the hardcoded email `[email protected]`. Review logs for suspicious login URLs and unauthorized administrator account activity.
Source articles (13)
- WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover — Thecyberexpress · 2026-05-29
A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. T… - WP Maps Pro bug exploited to create admin accounts on WordPress sites — Bleepingcomputer · 2026-05-31
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. The vulnerability, tracked a… - CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password — Securityaffairs.Co · 2026-06-01
CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create WordPress admin accounts. 2,858 attacks blocked in 24 hours. WP Maps Pro plugin allows WordPress site owners to embed Google Maps and… - Critical WP Maps Pro Vulnerability Under Active Attack, WordPress Sites at Risk of Full Takeover — Techlomedia.In · 2026-06-01
A critical security vulnerability in the popular WP Maps Pro WordPress plugin is being actively exploited by attackers to take over vulnerable websites. The flaw, tracked as CVE-2026-8732 , has a CVSS… - WP Maps Pro WordPress flaw exploited to create admin accounts — Thenextweb · 2026-06-01
TL;DR A critical vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create admin accounts and take over sites. Wordfence blocked 2,858 expl… - CVE-2026-8732 — nvd.nist.gov · 2026-06-01
This CVE record is not being prioritized for NVD enrichment efforts due to resource or other concerns. The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Acco… - Cybersecurity Digital Resilience — techlomediainternet.com · 2026-06-01
Implementation of enterprise-grade Web Application Firewalls to filter malicious traffic and block SQL injections, XSS, and sophisticated bot attacks at the network edge. Ensuring 100% uptime during h… - Critical vulnerability in WP Maps Pro allows rogue administrator account creation — Scworld · 2026-06-01
Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin, allowing them to create rogue administrator accounts without authentication. The flaw, tracked as CVE-2026… - Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account — Cybersecuritynews · 2026-06-02
A critical security vulnerability in the popular WP Maps Pro WordPress plugin could allow attackers to gain full control of affected websites by creating unauthorized administrator accounts. The flaw,… - WP Maps Pro WordPress flaw exploited to create admin accounts — Ground.News · 2026-06-02
A critical vulnerability in WP Maps Pro, a commercial WordPress plugin with more than 15,000 sales on the Envato Market, is being actively exploited by attackers to create malicious administrator acco… - 15000 Wordpress Sites Affected By Administrator Account Creation Vulnerability In Wp Maps Pro Wordpress Plugin — www.wordfence.com · 2026-05-31
- Security company Wordfence says — www.wordfence.com · 2026-06-01
- Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts — thehackernews.com · 2026-06-02
Timeline
- 2026-03-24 — Vulnerability reported to Wordfence: Security researcher David Brown disclosed the WP Maps Pro vulnerability to Wordfence.
- 2026-05-16 — Exploit validated and escalated: Wordfence validated the exploit and escalated the issue to the Envato security team.
- 2026-05-18 — Firewall protection implemented: Wordfence Premium, Care, and Response users received firewall protection against the vulnerability.
- 2026-05-20 — Patch released for WP Maps Pro: Version 6.1.1 was released, fixing the vulnerability by adding a capability check.
- 2026-05-29 — CVE-2026-8732 published: CVE-2026-8732 was published, detailing the vulnerability in WP Maps Pro.
- 2026-05-30 — First public PoC released: The first proof of concept for CVE-2026-8732 was made public, demonstrating the exploit.
- 2026-05-31 — Active exploitation reported: Researchers reported over 3,600 attempts to exploit the vulnerability within 24 hours.
CVEs
Related entities
- Data Breach (Attack Type)
- Zero-day Exploit (Attack Type)
- CWE-287 - Improper Authentication (Cwe)
- CWE-798 - Use of Hard-coded Credentials (Cwe)
- CWE-862 - Missing Authorization (Cwe)
- flippercode.com (Domain)
- location.it (Domain)
- [email protected] (Email)
- T1078 - Valid Accounts (Mitre Attack)
- T1136 - Create Account (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1505.003 - Web Shell (Mitre Attack)
- Google Maps (Platform)
- OpenStreetMap (Platform)
- WordPress (Platform)
- WP Maps Pro (Platform)