Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin, allowing them to create rogue administrator accounts without authentication. The flaw, tracked as CVE-2026-8732, affects versions 6.1.0 and older of the plugin, which is used by over 15,800 websites for creating interactive maps and store locators. This vulnerability was discovered by security researcher David Brown and has been exploited in the wild, as reported by Bleeping Computer.The vulnerability stems from a temporary access feature intended for vendor support. Attackers can exploit an unauthenticated AJAX endpoint by sending a crafted request that bypasses nonce checks. This request triggers code to create a new WordPress user with administrator privileges, assign a random username, and use a hardcoded support email address. The plugin then generates a passwordless "magic login URL" and sends it to a remote system. Once the attacker accesses this URL, they gain full administrator access to the compromised website. This level of access allows attackers to inject backdoors, steal data, deploy malicious code, and take complete control of the site.Security researchers have observed and blocked thousands of exploitation attempts. WP Maps Pro released version 6.1.1 on May 20 to address this critical flaw, and website administrators are strongly advised to update the plugin immediately.Source: Bleeping Computer
Vulnerability Management
Critical vulnerability in WP Maps Pro allows rogue administrator account creation

(Credit: Bilal Ulker – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



