Critical Vulnerability Exposes WordPress Sites via WP Maps Pro Plugin
Cybercriminals are exploiting a significant vulnerability in WordPress sites utilising an outdated version of the WP Maps Pro plugin, which permits the establishment of unauthorised administrator accounts without requiring user authentication.
This flaw, designated as CVE-2026-8732, has been classified with a critical severity rating and specifically affects WP Maps Pro versions 6.1.0 and earlier.
The discovery and subsequent reporting of this security breach were undertaken by researcher David Brown.
WP Maps Pro is a premium plugin designed for creating interactive and customizable maps, including store locators. It is compatible with multiple mapping services, such as Google Maps and OpenStreetMap.
This plugin is widely employed by various sectors, including businesses, real estate agencies, travel websites, directories, and organisations that require the visualisation of multiple locations on a map, boasting over 15,800 sales on Envato Market.
The root cause of the CVE-2026-8732 vulnerability lies in a “temporary access” feature embedded within the plugin, ostensibly intended to facilitate vendor support staff’s troubleshooting efforts on customer sites.
Brown’s examination revealed that the AJAX endpoint associated with this feature was accessible to users lacking authentication and relied solely on a publicly accessible nonce check located in frontend JavaScript, thereby rendering its protective measures ineffective.
This exploitation enables attackers to transmit a specifically crafted request that invokes code designed to create a new WordPress user.
This illicit user is assigned the administrator role, a passwordless login URL is generated, and the information is dispatched to a remote entity.
Upon accessing this URL, the attacker is seamlessly authenticated to the newly established administrator account, requiring no password or additional verification.
Researchers at Defiant, a leading WordPress security firm, have reported a surge in attempted exploits, with over 3,600 instances blocked within the last 24 hours.
According to the researchers, “When the request is made with the check_temp parameter set to false, the function invokes wp_insert_user() to create a new WordPress user with a hardcoded administrator role and a randomly generated username.
“Subsequently, the function generates a ‘magic login URL’ via generate_login_link(), stores it as user metadata, and returns it within the response payload.”
Gaining administrative access grants attackers the capability to implant permanent backdoors, modify website content, access confidential data, deploy web shells, install malevolent plugins, and ultimately seize control of the entire site.
Brown formally reported the vulnerability to Wordfence on March 24, with the vendor subsequently being informed on May 16 after corroborating the exploit.
On May 20, WP Maps Pro version 6.1.1 was released, containing a patch for CVE-2026-8732. Website administrators are strongly urged to update their plugins posthaste, as malicious activities have already been documented.
Source link: Bleepingcomputer.com.
