A critical security vulnerability in the popular WP Maps Pro WordPress plugin is being actively exploited by attackers to take over vulnerable websites.
The flaw, tracked as CVE-2026-8732, has a CVSS score of 9.8 and affects all versions of WP Maps Pro up to version 6.1.0. The issue has been fixed in version 6.1.1, and website owners are strongly advised to update immediately.
WP Maps Pro is a premium WordPress plugin used to add Google Maps and OpenStreetMap integrations to websites. It is commonly used for store locators, business listings, and location-based services. The plugin has recorded more than 15,000 sales on Envato Market.
The vulnerability allows an unauthenticated attacker to create a new WordPress administrator account without needing valid login credentials. Once an administrator account is created, an attacker can gain complete control of the website. This could allow them to modify content, install malicious plugins, steal data, redirect visitors, or even lock legitimate site owners out of their own websites.
According to researchers, the issue is linked to a temporary access feature intended for support and troubleshooting purposes. The feature was designed to let support staff access a customer’s website when assistance was required. However, the implementation lacked proper access controls, making it possible for anyone to trigger the functionality remotely.
The flaw exists in a function called wpgmp_temp_access_support().
Researchers found that the related AJAX endpoint could be accessed without authentication. While the feature relied on a security nonce for protection, that nonce was publicly available on the website’s frontend pages. As a result, attackers could bypass the intended restrictions and trigger the administrator account creation process.
After creating the account, the vulnerable code also generated a special login URL that automatically authenticated the newly created administrator, giving attackers immediate access to the site.
In simple terms, a remote attacker could create an admin account and log in without ever knowing a username or password.
The vulnerability was reported by security researcher David Brown and patched by the plugin developers on May 20, 2026. However, attackers have already started targeting websites that have not installed the update.
Security company Wordfence says it blocked 2,858 exploitation attempts related to the vulnerability within a 24-hour period, indicating that threat actors are actively scanning the internet for vulnerable WordPress installations. The number suggests that automated attacks are already underway.
If your website uses WP Maps Pro, updating to version 6.1.1 should be the highest priority. Site administrators should also review their user accounts and verify that no unknown administrator accounts have been created. Checking recent login activity, installed plugins, and site modifications can help identify signs of compromise.
Cyberattacks targeting WordPress websites continue to increase, and many compromises happen because of outdated plugins and poor security practices.
Techlomedia offers WordPress development, website maintenance, security hardening, malware removal, performance optimization, Software Development, and technical support services for businesses and individuals. If you need professional help with your WordPress website, you can get in touch with us through Techlomedia Internet.
