WP Maps Pro bug exploited to create admin accounts on WordPress sites

News

Featured
Latest

California AG sues 23andMe over 2023 breach exposing health data

US charges Google security engineer with Polymarket insider trading

Charter Communications data breach affects 4.9 million accounts

GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

WP Maps Pro bug exploited to create admin accounts on WordPress sites

Get a lifetime of ethical hacking and Python security training for $15

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

New CIFSwitch Linux flaw gives root on multiple distributions

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityWP Maps Pro bug exploited to create admin accounts on WordPress sites

WP Maps Pro bug exploited to create admin accounts on WordPress sites

By Bill Toulas

May 31, 2026
10:06 AM
0

Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication.
The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and impacts WP Maps Pro versions 6.1.0 and older. It was discovered and reported by security researcher David Brown.
WP Maps Pro is a premium WordPress plugin for building interactive, customizable maps and store locators. It supports multiple map providers, such as Google Maps and OpenStreetMap.
The plugin is typically used by businesses, real estate websites, travel sites, directories, and organizations that need to display multiple locations on a map, and has over 15,800 sales on the Envato Market.
The CVE-2026-8732 vulnerability is caused by a “temporary access” feature in the plugin, intended to allow vendor support staff to access customer sites for troubleshooting.
Brown found that the AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective.
This allows sending a specially crafted request that triggers code to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send it to a remote system.
Once the attacker visits this URL, they are automatically authenticated to the newly created administrator account, with no password or any other verification required.
Researchers at WordPress security company Defiant observed that threat actors are trying to exploit the vulnerability, and blocked more than 3,600 attempts over the past 24 hours.

Creating a rogue admin userSource: Wordfence
“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers explain.
“The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”
Having admin-level access on the site means attackers can inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and take over the website.
Brown reported the flaw to Wordfence on March 24, and the vendor was notified on May 16 after validating the exploit.
On May 20, WP Maps Pro 6.1.1 was released with a fix for CVE-2026-8732. Website administrators are recommended to update their plugins as soon as possible, as malicious activity has already been observed.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
Hackers exploit critical flaw in Ninja Forms WordPress pluginAvada Builder WordPress plugin flaws allow site credential theftHackers exploit auth bypass flaw in Burst Statistics WordPress pluginHackers exploit file upload bug in Breeze Cache WordPress pluginHackers abuse Google ads for GoDaddy ManageWP login phishing

Actively Exploited
Admin
Plugin
Vulnerability
Website
Website Takeover
WordPress

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

  Upcoming Webinar

Popular Stories

ChatGPT share links abused to host fake outage pages to deliver malware

Anthropic confirms Claude Mythos-class models will roll out to the public

Carnival Cruise confirms data breach affecting nearly 6 million people

Sponsor Posts

AI is a data-breach time bomb: Read the new report

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Overdue a password health-check? Audit your Active Directory for free

33% Rise in Healthcare Credential Theft in 2025: What you need to know

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers are actively exploiting a vulnerability in the WP Maps Pro plugin that allows for the creation of unauthorized administrator accounts on WordPress websites. This vulnerability, tracked as CVE-2026-8732, poses a critical severity risk and affects versions 6.1.0 and earlier of the plugin. WP Maps Pro is a premium WordPress plugin designed for creating interactive and customizable maps and store locators, commonly utilized by entities such as businesses, real estate sites, and organizations.

The flaw stems from a feature within the plugin called "temporary access," which was intended to facilitate troubleshooting by vendor support staff. Security researcher David Brown discovered the vulnerability when he found that the AJAX endpoint associated with this feature was accessible to unauthenticated users. This access was permitted despite relying solely on a nonce check in the frontend JavaScript, which proved ineffective against malicious requests. This deficiency allowed threat actors to send specially crafted requests that triggered functions capable of creating a new WordPress user, assigning it the administrator role, generating a passwordless login URL, and transmitting this link to a remote system. Upon visiting this URL, the attacker was automatically authenticated as the newly created administrator without needing any password or further verification.

Specifically, the researchers explained that when a request with the check_temp parameter set to false was made, the underlying function utilized wp_insert_user() to create a new WordPress user, assigning the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. Furthermore, the function generated a "magic login URL" using generate_login_link() and stored it in user metadata before returning it in the response body.

Gaining administrator-level access grants attackers significant control over the compromised websites, enabling a wide range of malicious activities. These include injecting persistent backdoors, modifying website content, accessing private data, deploying web shells, installing malicious plugins, and ultimately taking complete control of the site. Following the discovery, Brown reported the flaw to Wordfence on March 24th, and the vendor was notified on May 16th after validating the exploit. To mitigate this risk, WP Maps Pro version 6.1.1 was released on May 20th, which contains a fix for CVE-2026-8732. Website administrators are strongly advised to update their plugins immediately to address this known vulnerability, as malicious activity has already been documented.