WP Maps Pro bug exploited to create admin accounts on WordPress sites

Published:

31 mei 2026 om 14:06:42

Alert date:

31 mei 2026 om 15:01:43

Source:

bleepingcomputer.com

Web Technologies, Zero-Day Vulnerabilities

Hackers are actively exploiting a vulnerability in the WP Maps Pro WordPress plugin that allows attackers to create administrator accounts without authentication. The vulnerability affects WordPress websites running vulnerable versions of the plugin and is being actively targeted by threat actors. This represents a critical security issue as it provides complete administrative access to affected WordPress sites. Website administrators should immediately update or disable the affected plugin to prevent unauthorized access.

Technical details

CVE-2026-8732 is caused by a 'temporary access' feature in WP Maps Pro that allows vendor support staff to access customer sites for troubleshooting. The AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective. When a request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. The function then generates a 'magic login URL' using generate_login_link(), stores it as user meta, and returns it in the response body, allowing attackers to gain admin-level access without password verification.

Mitigation steps:

Update WP Maps Pro plugin to version 6.1.1 or later immediately. Website administrators should check for any unauthorized administrator accounts that may have been created and remove them. Monitor for suspicious admin account creation activities.

Affected products:

WP Maps Pro WordPress plugin versions 6.1.0 and older