HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Remote Admin Creation in WP Maps Pro (CVE-2026-8732) Endangers WordPress Sites

A critical flaw (CVE‑2026‑8732) in the WP Maps Pro WordPress plugin lets anyone on the internet create an administrator account without authentication. The vulnerability, scored 9.8 CVSS, is actively exploited, putting thousands of sites at risk of full takeover and exposing downstream supply‑chain partners.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical Remote Admin Creation in WP Maps Pro (CVE-2026-8732) Endangers WordPress Sites

What It Is — WP Maps Pro, a widely‑deployed WordPress store‑locator plugin, contains an unauthenticated AJAX endpoint (wpgmp_temp_access_ajax) that creates a new WordPress user with the Administrator role and returns a “magic” login URL. The flaw is assigned a CVSS 9.8, classifying it as a critical remote‑code‑execution‑style vulnerability.

Exploitability — Active exploitation has been observed; 2,858 attacks were blocked in a 24‑hour period. A public proof‑of‑concept exists and threat actors are weaponising the flaw in the wild.

Affected Products — WP Maps Pro plugin versions ≤ 6.1.0 (approximately 15 000+ WordPress sites) on any WordPress installation.

TPRM Impact — Any third‑party that relies on WP Maps Pro becomes a direct entry point for full site takeover, exposing customer data, compromising brand reputation, and potentially propagating risk to downstream SaaS or hosted services that integrate with the compromised site.

Recommended Actions

  • Upgrade immediately to WP Maps Pro 6.1.1 or later.
  • Conduct a full audit of WordPress user accounts; delete any unexpected administrators.
  • Block the wpgmp_temp_access_ajax endpoint for unauthenticated requests via a WAF or server‑side rule.
  • Enable multi‑factor authentication for all admin accounts and monitor logs for the “magic login URL” pattern.
  • Review downstream integrations (e.g., APIs, e‑commerce platforms) for data leakage and consider temporary isolation of the affected site.

Source: https://securityaffairs.com/192977/hacking/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html

📰 Original Source
https://securityaffairs.com/192977/hacking/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →