Critical WP Maps Pro Vulnerability (CVE‑2026‑8732) Enables Rogue Admin Account Creation on WordPress Sites
What Happened – A critical flaw (CVE‑2026‑8732) in WP Maps Pro ≤ 6.1.0 lets unauthenticated attackers call an insecure AJAX endpoint, create a new WordPress user with the Administrator role, and obtain a password‑less “magic login” URL. Exploitation attempts have already been observed in the wild.
Why It Matters for TPRM –
- Third‑party plugins can become a direct path to full site takeover, exposing client data and brand reputation.
- Many vendors rely on WP Maps Pro for storefront locators, travel directories, and real‑estate listings – a breach could cascade to their customers.
- The vulnerability is actively being weaponised; delayed patching increases the likelihood of compromise.
Who Is Affected – Organizations that host WordPress sites and use WP Maps Pro (e.g., retail/e‑commerce, real‑estate, travel, local‑government directories, SaaS‑enabled marketing agencies).
Recommended Actions –
- Verify that all WordPress environments have WP Maps Pro ≥ 6.1.1 installed.
- Conduct a rapid inventory of sites running the vulnerable plugin version.
- Review privileged‑account monitoring and enforce MFA for all admin logins.
- Scan for newly created admin accounts and remove any that are unauthorized.
Technical Notes – The flaw resides in a “temporary access” feature that relies on a publicly exposed nonce in front‑end JavaScript. An attacker sends a crafted request with check_temp=false, triggering wp_insert_user() with a hard‑coded admin role and a generated login link. No password or additional verification is required. The issue was reported as CVE‑2026‑8732 and patched in WP Maps Pro 6.1.1 on May 20 2026. Source: BleepingComputer