HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical WP Maps Pro Vulnerability (CVE‑2026‑8732) Enables Rogue Admin Account Creation on WordPress Sites

A critical vulnerability in WP Maps Pro (CVE‑2026‑8732) allows unauthenticated attackers to create administrator accounts on WordPress sites, bypassing all authentication. The flaw is being actively exploited, putting any site that runs the plugin version 6.1.0 or earlier at risk of full takeover. Third‑party risk managers should verify patch status and audit privileged accounts immediately.

LiveThreat™ Intelligence · 📅 May 31, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Critical WP Maps Pro Vulnerability (CVE‑2026‑8732) Enables Rogue Admin Account Creation on WordPress Sites

What Happened – A critical flaw (CVE‑2026‑8732) in WP Maps Pro ≤ 6.1.0 lets unauthenticated attackers call an insecure AJAX endpoint, create a new WordPress user with the Administrator role, and obtain a password‑less “magic login” URL. Exploitation attempts have already been observed in the wild.

Why It Matters for TPRM

  • Third‑party plugins can become a direct path to full site takeover, exposing client data and brand reputation.
  • Many vendors rely on WP Maps Pro for storefront locators, travel directories, and real‑estate listings – a breach could cascade to their customers.
  • The vulnerability is actively being weaponised; delayed patching increases the likelihood of compromise.

Who Is Affected – Organizations that host WordPress sites and use WP Maps Pro (e.g., retail/e‑commerce, real‑estate, travel, local‑government directories, SaaS‑enabled marketing agencies).

Recommended Actions

  • Verify that all WordPress environments have WP Maps Pro ≥ 6.1.1 installed.
  • Conduct a rapid inventory of sites running the vulnerable plugin version.
  • Review privileged‑account monitoring and enforce MFA for all admin logins.
  • Scan for newly created admin accounts and remove any that are unauthorized.

Technical Notes – The flaw resides in a “temporary access” feature that relies on a publicly exposed nonce in front‑end JavaScript. An attacker sends a crafted request with check_temp=false, triggering wp_insert_user() with a hard‑coded admin role and a generated login link. No password or additional verification is required. The issue was reported as CVE‑2026‑8732 and patched in WP Maps Pro 6.1.1 on May 20 2026. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →