Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
The Hacker NewsArchived Jun 01, 2026✓ Full text saved
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is
Full text archived locally
✦ AI Summary· Claude Sonnet
Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
Ravie LakshmananJun 01, 2026Vulnerability / Website Security,
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites.
WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is used as a store locator tool, making it easier for users to find nearby locations, view listing details, and get directions.
The vulnerability in question is CVE-2026-8732 (CVSS score: 9.8), a privilege escalation bug that allows unauthenticated attackers to create a WordPress user with administrative permissions, effectively allowing them to take control of a site.
The shortcoming impacts all versions of the plugin prior to and including 6.1.0. It has been addressed in version 6.1.1. Security researcher David Brown has been credited with discovering and reporting the flaw.
At a high level, the problem is rooted in a "temporary access" feature that's designed to allow support staff to log in to a customer's site during troubleshooting. Because this process allows unauthenticated users to invoke the "wpgmp_temp_access_support()" function without adequate checks, it ultimately allows them to create an administrator user.
"This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism," Wordfence said.
"This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover."
The patch released by the plugin maintainers on May 20, 2026, closes the vulnerability by ensuring that only authenticated administrators can access the endpoint.
That said, the security flaw has since come under active exploitation, with Wordfence stating that it has blocked 2,858 attacks targeting the issue over the past 24 hours. It's therefore essential that site owners update their instances to the latest version for optimal protection.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
cybersecurity, privilege escalation, Vulnerability, Website Security, Wordfence, WordPress
⚡ Top Stories This Week
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Developer Workstations Are Now Part of the Software Supply Chain
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
The New Phishing Click: How OAuth Consent Bypasses MFA
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
Load More ▼
⭐ Featured Resources
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Get Key Identity Security Insights From 2026 Snapshot
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
Discover How to Navigate the Era of Constant Cyber Exposure