WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Security WeekArchived Jun 01, 2026✓ Full text saved
The security defect (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on the affected installations. The post WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Threat actors are exploiting a critical-severity vulnerability in the WP Maps Pro WordPress plugin to take over websites, Defiant warns.
WP Maps Pro allows site administrators to embed Google Maps in their installations, customizable with advanced location, markers, and categories.
The exploited vulnerability, tracked as CVE-2026-8732 (CVSS score of 9.8), allows unauthenticated threat actors to create new administrative accounts and take over vulnerable sites.
WP Maps Pro has been designed to support tooling, which exposes a temporary access capability used by the vendor to log in to customer sites as part of troubleshooting operations.
According to Defiant, the security defect exists in a callback AJAX function used to handle the temporary access generation, which is protected only by a nonce check.
The nonce, it explains, is embedded in every frontend page and exposed to any unauthenticated user, which makes the nonce check ineffective.
Furthermore, the plugin does not include capability checks, thus allowing unauthenticated attackers to invoke the AJAX action with a check_temp parameter set to false and create a new WordPress user with the role of administrator.
The user is generated with a random username and with a hardcoded email address. Additionally, the function generates a magic login URL and returns it to the attacker, which can use it to authenticate without a password or additional verification.
“As a result, an attacker gains full administrator-level control over the site and can install malicious plugins, modify themes, inject backdoors, exfiltrate data, or deploy web shells for persistent access,” Defiant explains.
The vulnerability was addressed in WP Maps Pro version 6.1.1, which adds a capability check to restrict access to authenticated administrators.
Defiant says it has blocked over 1,700 attacks targeting the CVE-2026-8732 over the past 24 hours.
Related: CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
Related: Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Charter Communications Data Breach Could Impact Nearly 5 Million
MokN Raises $15 Million for Phish-Back Platform
Gogs Zero-Day Exposes Servers to Remote Code Execution
Chrome 148 Update Patches 151 Vulnerabilities
Geordie Raises $30 Million for AI Security and Governance Platform
Carnival Data Breach Exposed 6 Million People
New BTMOB Android Malware Enables Full Device Takeover
Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks
Latest News
Dutch Police Dismantle Massive 17-Million-Device Botnet
Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
Dragos Acquires xIoT Security Firm Phosphorus
As the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Recent Palo Alto Networks Vulnerability Exploited for Weeks
Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say
Exploit Code Published for Critical Flowise RCE Vulnerability
Trending
Virtual Event: Threat Detection And Incident Response Summit
On-Demand
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Register
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
People on the Move
Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter
CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.
Quantum Secure Encryption has named Michael Massing as Chief Technology Officer.
More People On The Move
Expert Insights
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au)
Flipboard
Reddit
Whatsapp
Email