Attackers are actively targeting WordPress sites running vulnerable versions of the WP Maps Pro plugin, abusing a flaw tracked as CVE-2026-8732 to create rogue administrator accounts and log in automatically—without passwords—before WordPress Maps Pro 6.1.1 sh
By the time an infected WordPress site is noticed, the damage can already be in motion: a hidden administrator account can be created, a passwordless login link can be generated, and the attacker can move in.
That’s the reality facing many operators after hackers began exploiting a vulnerability in the WP Maps Pro plugin. a premium mapping tool used by businesses. real estate websites. travel sites. directories. and organizations displaying multiple locations on a map. WP Maps Pro supports multiple map providers. including Google Maps and OpenStreetMap. and has recorded over 15. 800 sales on the Envato Market.
The flaw is tracked as CVE-2026-8732. It carries a critical severity rating and affects WP Maps Pro version 6.1.0 and older. Security researcher David Brown discovered the issue and reported it as the kind of weakness that doesn’t require credentials—because the plugin’s intended “temporary access” mechanism can be reached by unauthenticated users.
The vulnerability hinges on a feature meant to allow vendor support staff to access customer sites for troubleshooting. Brown found that the AJAX endpoint used for that access could be called by anyone. and the protection relied only on a publicly exposed nonce check in frontend JavaScript—making the barrier ineffective.
A specially crafted request can trigger code that creates a new WordPress user. assigns it the administrator role. generates a passwordless login URL. and sends it to a remote system. When the attacker visits the resulting URL. they are automatically authenticated to the newly created administrator account. with no password or any other verification required.
Having admin-level access on a site is the difference between a nuisance and a compromise. With administrator privileges, attackers can inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and take over the website.
Defiant, a WordPress security company, observed threat actors trying to exploit the vulnerability and blocked more than 3,600 attempts over the past 24 hours.
In the mechanics of the exploit. Defiant researchers describe what happens when the request is made with a check_temp parameter set to false: the function creates a new WordPress user via wp_insert_user(). with a hardcoded role of administrator. a randomly generated username. and a hardcoded email address of support@flippercode.com. It then generates a “magic login URL” using generate_login_link(). stores it as user meta. and returns it in the response body.
Brown reported the flaw to Wordfence on March 24, and the vendor was notified on May 16 after validating the exploit. WP Maps Pro 6.1.1—released on May 20—includes the fix for CVE-2026-8732.
For website administrators, the response is straightforward: update the plugin as soon as possible. Malicious activity has already been observed, and this particular bug doesn’t depend on stolen logins. It turns the plugin’s support access idea into an open door.
WP Maps Pro WordPress plugin vulnerability CVE-2026-8732 rogue admin account passwordless login URL WordPress security Defiant Wordfence David Brown WP Maps Pro 6.1.1