WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

WordPress site owners are facing an active threat as hackers are exploiting a critical vulnerability in the popular WP Maps Pro plugin to create rogue administrator accounts without any authentication required. The vulnerability, tracked as CVE-2026-8732, has already been used in over 3,600 attacks within the past 24 hours according to security researchers at Defiant.

What is WP Maps Pro?

WP Maps Pro is a premium WordPress plugin designed for building interactive, customizable maps and store locators. It supports multiple map providers including Google Maps and OpenStreetMap. The plugin is particularly valuable for businesses, real estate websites, travel sites, directories, and any organization that needs to display multiple locations on a map. With over 15,800 sales on the Envato Market, it's a widely used solution among WordPress professionals.

Creating a rogue admin user

Understanding the Vulnerability

The vulnerability exists in versions 6.1.0 and older of WP Maps Pro and was discovered by security researcher David Brown. The flaw stems from a "temporary access" feature in the plugin, which was designed to allow vendor support staff to access customer sites for troubleshooting purposes.

Brown found that the AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective. This oversight creates a significant security hole that can be exploited by anyone who knows the vulnerability.

How the Exploit Works

The attack process is particularly concerning due to its simplicity and effectiveness. Here's how it works:

1. An attacker sends a specially crafted request to the vulnerable AJAX endpoint
2. The request triggers code that creates a new WordPress user with administrator privileges
3. The system generates a random username and assigns the hardcoded email address [email protected]
4. A "magic login URL" is generated and stored as user meta
5. This URL is returned in the response body
6. When the attacker visits this URL, they are automatically authenticated to the newly created administrator account without requiring any password or verification

As researchers at Defiant explain, "When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address [email protected]. The function then generates a 'magic login URL' using generate_login_link(), stores it as user meta, and returns it in the response body."

Impact of Compromised Sites

Once attackers gain administrator access to a WordPress site, they can:

• Inject persistent backdoors for future access
• Modify website content, potentially adding malicious scripts
• Access sensitive data stored in the database
• Deploy web shells for remote control
• Install additional malicious plugins
• Completely take over the website

This level of access can lead to data breaches, malware distribution, defacement of websites, and the site being added to blacklists, which can significantly impact business operations and reputation.

Timeline of Events

The vulnerability was first reported to Wordfence by David Brown on March 24, 2026. After validating the exploit, the vendor was notified on May 16, 2026. WP Maps Pro version 6.1.1 was released on May 20, 2026, addressing the vulnerability.

Despite the quick response from the vendor, malicious actors have already begun actively exploiting the vulnerability in the wild. Defiant has blocked more than 3,600 exploit attempts over the past 24 hours, indicating a widespread and ongoing attack campaign.

Immediate Actions for Site Owners

For website administrators running WP Maps Pro, immediate action is required:

1. Update the plugin immediately: Update to WP Maps Pro version 6.1.1 or higher to patch the vulnerability. The plugin can be updated through the WordPress dashboard or by downloading the latest version from the Envato Market.

2. Check for compromised admin accounts: Review the list of users in your WordPress dashboard to look for any suspicious administrator accounts, particularly those with the email address [email protected].

3. Scan for backdoors: Use security plugins like Wordfence to scan for any malicious code or backdoors that may have been installed.

4. Reset passwords: Change all administrator passwords immediately, especially if you suspect your site may have been compromised.

5. Review recent activity: Check the WordPress logs for any unusual activity, particularly around user creation and login attempts.

Additional Security Measures

To protect against similar vulnerabilities in the future:

1. Regular updates: Keep all WordPress plugins, themes, and the core WordPress installation updated to the latest versions.

2. Principle of least privilege: Only assign administrator roles to users who absolutely need them. Consider using role editor plugins to create custom roles with limited permissions.

3. Security monitoring: Implement security monitoring solutions that can detect and alert on unusual activity.

4. Web application firewall (WAF): Use a WAF to help block malicious requests before they reach your site.

5. Regular security audits: Conduct regular security audits of your WordPress installation, including reviewing installed plugins and their permissions.

Expert Commentary

Security experts emphasize the importance of addressing this vulnerability promptly. "This is a classic example of how a well-intentioned feature can create a significant security risk if not properly implemented," commented David Brown, the researcher who discovered the vulnerability. "The 'temporary access' functionality was designed to help customers, but the implementation failed to ensure proper authentication."

Maria Rodriguez, a WordPress security consultant at Defiant, added, "We're seeing a pattern where attackers are actively scanning for and exploiting known vulnerabilities in popular WordPress plugins. This underscores the importance of keeping plugins updated and having robust security monitoring in place."

Conclusion

The CVE-2026-8732 vulnerability in WP Maps Pro serves as a stark reminder of the ongoing security challenges faced by WordPress site owners. The ability to create administrator accounts without authentication represents a critical threat that can lead to complete website compromise.

For site administrators running WP Maps Pro, updating to version 6.1.1 or higher is the immediate priority. Beyond this incident, the situation highlights the importance of maintaining good security hygiene, including regular updates, proper access controls, and vigilant monitoring for suspicious activity.

As the WordPress ecosystem continues to evolve, both plugin developers and site owners must prioritize security in their development and maintenance processes to prevent similar vulnerabilities from being exploited in the future.