Critical WP Maps Pro Flaw Lets Attackers Create WordPress Admin Accounts
A critical vulnerability in the WP Maps Pro WordPress plugin is being actively exploited to let unauthenticated attackers create administrator accounts and fully take over affected websites. The flaw, tracked as CVE-2026-8732 and rated CVSS 9.8, affects versions through 6.1.0 and was discovered by Wordfence through its bug bounty program. Researchers said the issue stems from improper privilege validation in the plugin’s temporary support-access feature, where the wpgmp_temp_access_ajax_callback() endpoint was exposed to unauthenticated users and protected only by a publicly accessible nonce.
Successful exploitation allows an attacker to trigger backend admin account creation, obtain a secret or magic login URL, and sign in without a password. Wordfence reported blocking 2,514 attacks in 24 hours, indicating rapid automated exploitation in the wild, and said roughly 15,000 WordPress sites are affected. The vendor has released a fix in WP Maps Pro 6.1.1 by adding a capability check that restricts access to users with manage_options, while Wordfence said firewall protection was issued to premium customers on May 18 and scheduled for free users on June 17.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Free Wordfence users scheduled to receive firewall protection
Wordfence said users on its free tier were scheduled to receive firewall protection for the WP Maps Pro vulnerability on 2026-06-17. This was presented as the delayed rollout date for non-premium customers.
Wordfence reports blocking 2,858 WP Maps Pro exploit attempts in 24 hours
A newer report said Wordfence blocked 2,858 exploitation attempts targeting CVE-2026-8732 in the previous 24 hours. This reflects continued active exploitation of the WP Maps Pro administrator account creation flaw after public disclosure.
Wordfence reports blocking 2,514 exploitation attempts in 24 hours
Wordfence reported that it blocked 2,514 attacks targeting the WP Maps Pro vulnerability within a 24-hour period. This indicated rapid automated exploitation following discovery of the flaw.
Wordfence discloses actively exploited WP Maps Pro zero-day
Wordfence disclosed CVE-2026-8732, a critical WP Maps Pro vulnerability that lets unauthenticated attackers create administrator accounts and take over affected WordPress sites. The advisory said the bug was being actively exploited in the wild and that roughly 15,000 sites were affected.
WP Maps Pro vendor fixes CVE-2026-8732 in version 6.1.1
The WP Maps Pro vendor released version 6.1.1 to fix the vulnerability by adding a capability check or restricting the vulnerable endpoint to users with the manage_options capability. The flaw affected versions up to and including 6.1.0.
Security Affairs reports WP Maps Pro 6.1.1 fix released
Security Affairs reported that the WP Maps Pro maintainers fixed CVE-2026-8732 in version 6.1.1 released on 2026-05-20. The update addressed the flaw that allowed unauthenticated attackers to create administrator accounts on sites running versions up to 6.1.0.
Wordfence firewall protection released to premium users
Wordfence said its premium customers received firewall protection for CVE-2026-8732 on 2026-05-18. The protection addressed the WP Maps Pro vulnerability that allows unauthenticated administrator account creation.
Wordfence notifies WP Maps Pro vendor of CVE-2026-8732
After receiving David Brown's report, Wordfence notified the WP Maps Pro vendor about the administrator account creation flaw later tracked as CVE-2026-8732. This vendor notification preceded the release of version 6.1.1 that fixed the issue.
Researcher reports WP Maps Pro flaw to Wordfence Bug Bounty Program
Researcher David Brown reported the WP Maps Pro administrator account creation vulnerability to the Wordfence Bug Bounty Program. The report initiated coordinated disclosure of the flaw later tracked as CVE-2026-8732.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Критический баг в плагине WP Maps Pro позволяет создавать аккаунты администраторов - Хакер
xakep.ru
Open sourceCritical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
cybersecuritynews.com
Open sourceCritical vulnerability in WP Maps Pro allows rogue administrator account creation | brief | SC Media
scworld.com
Open sourceCVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password
securityaffairs.com
Open sourceWP Maps Pro Flaw Exposed Sites To Administrator Takeover
thecyberexpress.com
Open sourceCVE-2026-8732 - WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
cvefeed.io
Open sourceWP Maps Pro Vulnerability Exploited in the Wild
securityonline.info
Open source15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Burst Statistics WordPress Plugin Flaw Enables Admin Takeover Under Active Exploitation
A critical authentication-bypass flaw in the **Burst Statistics** WordPress plugin is being actively exploited to seize administrator access on vulnerable sites. Tracked as `CVE-2026-8181`, the bug affects versions `3.4.0` through `3.4.1.1` and was introduced through improper return-value handling in the plugin’s `is_mainwp_authenticated()` logic for Basic Authentication headers. Security researchers reported that an unauthenticated attacker who knows an administrator username can send arbitrary credentials and be treated as that admin for the request, allowing account impersonation or creation of new administrator accounts on sites running the plugin, which is installed on roughly 200,000 WordPress websites. Wordfence said it observed live attacks and blocked more than 7,400 exploitation attempts in a 24-hour period. Successful compromise could enable follow-on activity including data theft, malware deployment, and malicious site redirection. Defenders were urged to update immediately to **Burst Statistics `3.4.2`** or disable the plugin until patching is possible. Separate disclosures also highlighted another severe WordPress plugin issue, `CVE-2026-6510` in **InfusedWoo Pro** `<= 5.1.2`, where missing authorization checks in the `iwar_save_recipe()` AJAX handler can let unauthenticated attackers craft automation-based authentication bypass leading to administrator-level privilege escalation.
May 15, 2026
WordPress Plugin Flaws Enable Account Takeover and Possible RCE
Multiple high-severity flaws in WordPress plugins exposed sites to account takeover and, in one case, possible remote code execution. In **Users Manager PN**, tracked as `CVE-2026-4003`, a missing authorization check in the `userspn_ajax_nopriv_server()` handler let unauthenticated attackers overwrite arbitrary user metadata through the `userspn_form_save` AJAX action. Because the required `userspn-nonce` was reportedly exposed on public pages, attackers could abuse the bug with a single crafted request to modify profiles and potentially seize control of administrator accounts. The issue affected versions through `1.1.15` and was reportedly fixed in `1.1.20`. Two additional vulnerabilities were disclosed in **WP Captcha PRO** affecting versions through `5.38`. `CVE-2026-5415` allowed **Subscriber-level users or higher** to generate temporary login links for arbitrary accounts because the `ajax_run_tool()` AJAX handler checked only a nonce and not user capabilities, enabling authentication bypass and administrator takeover. Separately, `CVE-2026-5411` allowed authenticated low-privilege users to upload attacker-controlled files by poisoning license metadata and abusing `sync_cloud_protection()` to download and extract content into a web-accessible uploads directory; if PHP execution was possible and `allow_url_fopen` was enabled for remote retrieval, the flaw could be escalated to **remote code execution** via a webshell.
Jun 12, 2026
Active Exploitation of Critical WordPress Plugin and Theme Vulnerabilities for Admin Account Hijacking
Threat actors are actively exploiting critical vulnerabilities in popular WordPress plugins and themes, enabling the hijacking of administrator accounts and full site compromise. The Post SMTP plugin, installed on over 400,000 WordPress sites, is affected by CVE-2025-11833, a flaw that allows unauthenticated attackers to read arbitrary logged emails, including password reset messages, due to missing authorization checks. This exposure enables attackers to reset admin passwords and take over sites. Wordfence has observed over 4,500 exploit attempts since November 1, and a patch was released in version 3.6.1, but a significant number of sites remain unpatched and vulnerable. Similarly, the JobMonster WordPress theme is being targeted via CVE-2025-5397, an authentication bypass vulnerability that allows attackers to hijack admin accounts when social login is enabled. The flaw arises from improper verification in the `check_login()` function, letting attackers fake admin access if they know the username or email. The issue is fixed in version 4.8.2, and users are urged to update, disable social login, and enable two-factor authentication. These incidents highlight the ongoing risk posed by unpatched WordPress components and the need for immediate mitigation to prevent site compromise.
Mar 21, 2026