- A critical vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin allows attackers to create admin accounts.
- The flaw affects versions prior to 6.1.1 and has been actively exploited, with thousands of attacks blocked in a single day.
- Plugin users must immediately update to version 6.1.1 to prevent site takeover.
Security researchers are reporting active exploitation of a severe vulnerability in the popular WP Maps Pro plugin, threatening over 15,000 WordPress sites. According to a report from researcher David Brown, the flaw allows unauthenticated attackers to create administrator accounts, enabling complete site takeover. The vulnerability, CVE-2026-8732, impacts all versions of the plugin up to 6.1.0.
Wordfence stated that the issue stems from a “temporary access” feature designed for support troubleshooting. This feature, however, lacked proper authentication checks, allowing anyone to invoke a function that creates a new user with the hardcoded role of administrator. Consequently, attackers could gain full control of a vulnerable website.
The plugin’s developers patched the vulnerability in version 6.1.1 released on May 20, 2026. Meanwhile, threat actors have not hesitated to exploit it. Wordfence data shows it has “blocked 2,858 attacks” targeting the issue in the past 24 hours. Therefore, site owners using the store locator plugin must update immediately to secure their installations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
