A critical security flaw in the popular WordPress plugin WP Maps Pro is being actively exploited by attackers to create unauthorized administrator accounts on vulnerable websites.
The vulnerability, tracked as CVE-2026-8732, carries a severe CVSS score of 9.8, making it a critical-risk issue for website owners using the plugin. According to security researchers, the flaw allows unauthenticated attackers to gain administrative access, which could lead to full WordPress site takeover.
WP Maps Pro is commonly used by businesses to add advanced map features to WordPress websites. It supports Google Maps and OpenStreetMap integrations, location markers, store locators, listings, and direction-based features. Because the plugin is used by commercial websites, local businesses, directories, and service providers, the impact of this vulnerability could be significant.
What Is CVE-2026-8732?
CVE-2026-8732 is a privilege escalation vulnerability affecting WP Maps Pro versions up to and including 6.1.0.
In simple terms, privilege escalation means an attacker can gain higher-level permissions than they should have. In this case, the issue allows someone who is not logged in to create a new WordPress user account with administrator privileges.
Once an attacker has administrator access, they may be able to:
- Change website content
- Install malicious plugins or themes
- Redirect visitors to scam or malware pages
- Steal sensitive data
- Create additional backdoor accounts
- Lock legitimate administrators out of the site
For WordPress site owners, this is especially dangerous because administrator access gives attackers broad control over the website.
How the WP Maps Pro Vulnerability Works
The flaw is connected to a “temporary access” support feature inside the plugin. This feature was designed to help support staff access customer websites during troubleshooting.
However, researchers found that the function handling this access could be triggered without proper authentication. The security check protecting the feature relied on a nonce value that was publicly exposed on website pages, making it ineffective as a true access control mechanism.
As a result, attackers could abuse the vulnerable function to create a new WordPress administrator account. In some cases, the process could also return a login link that allows the attacker to authenticate as the newly created administrator.
This means the attack does not require a stolen password, an existing user account, or interaction from the website owner.
Active Exploitation Has Already Been Observed
Security researchers have warned that attackers are already attempting to exploit the WP Maps Pro vulnerability in the wild.
Wordfence reported blocking thousands of exploitation attempts targeting this issue within a short period. This confirms that the vulnerability is not just theoretical. Attackers are actively scanning for vulnerable WordPress websites and trying to create rogue admin accounts.
For website owners, the most urgent step is to check whether WP Maps Pro is installed and confirm which version is currently running.
Which WP Maps Pro Versions Are Affected?
- The vulnerability affects:
- WP Maps Pro version 6.1.0 and earlier
- The issue has been fixed in:
- WP Maps Pro version 6.1.1
If your website is running version 6.1.0 or below, it should be considered at risk. Updating the plugin should be treated as an urgent security priority.
How to Protect Your WordPress Website
WordPress administrators using WP Maps Pro should take immediate action to reduce the risk of compromise.
First, update WP Maps Pro to version 6.1.1 or later. This is the official patched version that addresses the vulnerability.
Next, review all administrator accounts on your WordPress site. Look for unknown users, suspicious usernames, unfamiliar email addresses, or recently created admin accounts.
Website owners should also check server logs, WordPress activity logs, and security plugin alerts for signs of unauthorized access. If a suspicious admin account is found, remove it immediately and rotate passwords for all legitimate administrator accounts.
It is also recommended to:
- Enable two-factor authentication for administrator accounts
- Remove unused plugins and themes
- Keep WordPress core updated
- Use a reputable WordPress security plugin
- Review file changes for possible malware or backdoors
- Back up the website before and after remediation
Why WordPress Plugin Security Matters
WordPress remains one of the most widely used website platforms in the world, which also makes it a major target for cybercriminals. Vulnerabilities in third-party plugins are one of the most common ways attackers compromise WordPress sites.
Plugins often add powerful features, but they can also introduce security risks if access controls, authentication checks, or update processes are not handled properly.
The WP Maps Pro vulnerability is a reminder that website owners should not rely only on WordPress core updates. Every installed plugin should be monitored, maintained, and updated regularly.
Final Thoughts
The actively exploited WP Maps Pro vulnerability is a serious threat to WordPress websites using outdated versions of the plugin. Because CVE-2026-8732 can allow unauthenticated attackers to create administrator accounts, affected websites may be exposed to full takeover.
Anyone using WP Maps Pro should update to version 6.1.1 immediately, audit administrator accounts, and review their site for suspicious activity.
As attackers continue to target vulnerable WordPress plugins, fast patching and regular security checks remain essential for protecting business websites, customer data, and online reputation.