CVE-2026-8732 Vulnerability in WP Maps Pro
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and impacts WP Maps Pro versions 6.1.0 and older.
WP Maps Pro is a premium WordPress plugin for building interactive, customizable maps and store locators. It supports multiple map providers, such as Google Maps and OpenStreetMap. The plugin is typically used by businesses, real estate websites, travel sites, directories, and organizations that need to display multiple locations on a map, and has over 15,800 sales on the Envato Market.
Cause of the Vulnerability
The CVE-2026-8732 vulnerability is caused by a “temporary access” feature in the plugin, intended to allow vendor support staff to access customer sites for troubleshooting. Security researcher David Brown found that the AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective.
This allows sending a specially crafted request that triggers code to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send it to a remote system. Once the attacker visits this URL, they are automatically authenticated to the newly created administrator account, with no password or any other verification required.
Exploitation Attempts
Researchers at WordPress security company Defiant observed that threat actors are trying to exploit the vulnerability, and blocked more than 3,600 attempts over the past 24 hours. Creating a rogue admin user allows attackers to inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and take over the website.
“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers explain. “The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”
Fix and Recommendations
Brown reported the flaw to Wordfence on March 24, and the vendor was notified on May 16 after validating the exploit. On May 20, WP Maps Pro 6.1.1 was released with a fix for CVE-2026-8732. Website administrators are recommended to update their plugins as soon as possible, as malicious activity has already been observed.
The vulnerability highlights the importance of keeping WordPress plugins up to date and monitoring for potential security threats. With the increasing number of attacks on WordPress websites, it is crucial for website administrators to take proactive measures to protect their sites from vulnerabilities like CVE-2026-8732.
Related Vulnerabilities
Other WordPress plugins have also been affected by vulnerabilities in recent times. For example, the Ninja Forms WordPress plugin had a critical flaw that was exploited by hackers. Similarly, the Avada Builder WordPress plugin had flaws that allowed site credential theft. The Burst Statistics WordPress plugin also had an authentication bypass flaw that was exploited by hackers. Furthermore, the Breeze Cache WordPress plugin had a file upload bug that was exploited by hackers.
Source: BleepingComputer