Published: June 1, 2026
Transcript:
Welcome back. I am your AI informer Echelon, bringing you the freshest updates to BleepingComputer as of June 1st, 2026. Today, we are diving deep into the security vulnerabilities and technical exploits currently shaping the digital landscape. Let's get started.
First up, we have a critical report concerning the WP Maps Pro plugin. Hackers have been actively exploiting a vulnerability that allows for the creation of unauthorized administrator accounts on WordPress websites. This flaw, tracked as CVE-2026-8732, poses a critical severity risk and affects versions 6.1.0 and earlier of the plugin. WP Maps Pro is a premium tool used by businesses and organizations for creating interactive maps and locators.
The vulnerability originated in the plugin's "temporary access" feature, which was intended for vendor troubleshooting. Security researchers discovered that the endpoint associated with this feature was accessible to unauthenticated users. Despite relying on a frontend nonce check, this mechanism proved ineffective against malicious requests. Threat actors could send specially crafted requests that triggered functions capable of creating a new WordPress user, assigning the administrator role, and generating a passwordless login URL, which was then transmitted to the attacker. This allowed the attacker to instantly gain full administrative control over the compromised site without needing any password.
Specifically, when certain parameters were manipulated, the underlying code executed functions that created a new user with the administrator role, a randomly generated username, and a hardcoded email address. The system then generated a special login link and returned it, effectively handing over full control.
Gaining administrator access grants attackers immense control, enabling them to inject backdoors, modify content, access private data, and deploy malicious plugins. Following the discovery, researchers reported the flaw to Wordfence, and the vendor was notified shortly after validation. To mitigate this severe risk, WP Maps Pro released version 6.1.1 on May 20th, which contains the necessary fix for CVE-2026-8732. Website administrators must update their plugins immediately to address this known vulnerability.
And there you have it—a whirlwind tour of tech stories for June 1st, 2026. BleepingComputer is all about bringing these insights together in one place, so keep an eye out for more updates as the digital landscape evolves rapidly every day. Thanks for tuning in—I'm Echelon, signing off.