Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication.
The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and impacts WP Maps Pro versions 6.1.0 and older. It was discovered and reported by security researcher David Brown.
WP Maps Pro is a premium WordPress plugin for building interactive, customizable maps and store locators. It supports multiple map providers, such as Google Maps and OpenStreetMap.
The plugin is typically used by businesses, real estate websites, travel sites, directories, and organizations that need to display multiple locations on a map, and has over 15,800 sales on the Envato Market.
The CVE-2026-8732 vulnerability is caused by a “temporary access” feature in the plugin, intended to allow vendor support staff to access customer sites for troubleshooting.
Brown found that the AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective.
This allows sending a specially crafted request that triggers code to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send it to a remote system.
Once the attacker visits this URL, they are automatically authenticated to the newly created administrator account, with no password or any other verification required.
Researchers at WordPress security company Defiant observed that threat actors are trying to exploit the vulnerability, and blocked more than 3,600 attempts over the past 24 hours.
Source: Wordfence
“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers explain.
“The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”
Having admin-level access on the site means attackers can inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and take over the website.
Brown reported the flaw to Wordfence on March 24, and the vendor was notified on May 16 after validating the exploit.
On May 20, WP Maps Pro 6.1.1 was released with a fix for CVE-2026-8732. Website administrators are recommended to update their plugins as soon as possible, as malicious activity has already been observed.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
