Critical WP Maps Pro Flaw Under Active Attack Lets Hackers Create Administrator Accounts

Attackers are exploiting a severe vulnerability in the WP Maps Pro plugin to gain full control of WordPress websites without needing credentials.

WordPress website owners face a new security threat as attackers actively exploit a critical vulnerability in the popular WP Maps Pro plugin. The flaw allows unauthenticated users to create administrator accounts and take complete control of vulnerable websites.

Tracked as CVE-2026-8732, the vulnerability affects WP Maps Pro version 6.1.0 and earlier. Security researchers have already observed active exploitation attempts in the wild, making immediate patching a priority for affected organizations.

A Support Feature Turned Into an Attack Path

WP Maps Pro is a premium WordPress plugin used to create interactive maps, store locators, and location-based services. Businesses, real estate companies, travel platforms, and directory websites frequently use the plugin to display multiple locations through mapping services such as Google Maps and OpenStreetMap.

The vulnerability originates from a "temporary access" feature designed to help vendor support teams troubleshoot customer websites. While the feature aimed to simplify support operations, researchers discovered that attackers could abuse it to gain unauthorized administrative access.

The issue stemmed from an AJAX endpoint that accepted requests from unauthenticated users. The endpoint relied on a publicly exposed security nonce found in frontend JavaScript. Because attackers could easily obtain this value, the protection mechanism failed to prevent unauthorized access.

How the Exploit Works

An attacker can send a specially crafted request to the vulnerable endpoint and trigger functionality that creates a new WordPress account with administrator privileges.

The process does not stop there. The vulnerable code also generates a passwordless login link tied to the newly created account. Once an attacker opens the generated URL, WordPress automatically authenticates the session without requiring a password or additional verification.

As a result, attackers can gain full administrative control over a website within minutes.

Researchers noted that the created account uses randomly generated usernames while assigning administrator privileges automatically. This allows threat actors to establish persistent access while avoiding immediate detection.

Why Administrator Access Is So Dangerous

Administrator privileges represent the highest level of access within WordPress. Once attackers obtain these rights, they can perform virtually any action on the website.

Threat actors may install malicious plugins, upload web shells, inject persistent backdoors, modify website content, steal sensitive information, or redirect visitors to malicious destinations.

Additionally, compromised websites can become launch points for phishing campaigns, malware distribution, and further attacks against customers and business partners.

For organizations that rely on their websites for customer engagement or e-commerce operations, the consequences can include service disruption, reputational damage, and data exposure.

Exploitation Already Underway

Security researchers monitoring WordPress attacks have confirmed that threat actors are actively attempting to exploit the flaw.

Thousands of exploitation attempts were detected and blocked within a single day. This level of activity indicates that attackers quickly integrated the vulnerability into their scanning and exploitation campaigns after public disclosure.

The rapid adoption of the exploit highlights how quickly cybercriminals move when critical WordPress vulnerabilities become available.

Immediate Action Required

The vendor addressed the vulnerability in WP Maps Pro version 6.1.1. Website administrators should update immediately if they are running affected versions of the plugin.

Organizations should also review WordPress administrator accounts for unknown users, inspect recent plugin and theme changes, and monitor logs for suspicious authentication activity.

Security teams should consider implementing additional monitoring for privilege escalation events and unauthorized account creation attempts.

A Reminder About WordPress Plugin Security

The incident serves as another reminder that third-party plugins can introduce significant security risks. Even features designed for customer support can become attack vectors if developers do not apply strong authentication controls.

As WordPress continues to power millions of websites worldwide, attackers will keep targeting plugins that provide elevated access or administrative functionality.

Regular patch management, security monitoring, and plugin audits remain essential defenses against these increasingly common attacks.