Blog Details

Hackers are focusing on WordPress web sites working a vulnerable model of the WP Maps Pro plugin, which permits growing rogue administrator accounts without authentication.

The vulnerability, tracked as CVE-2026-8732, has an most indispensable severity score and impacts WP Maps Pro versions 6.1.0 and older. It used to be learned and reported by security researcher David Brown.

WP Maps Pro is a top rate WordPress plugin for constructing interactive, customizable maps and store locators. It supports a pair of plan suppliers, equivalent to Google Maps and OpenStreetMap.

The plugin is in overall frail by corporations, real estate web sites, spin back and forth sites, directories, and organizations that desire to expose a pair of areas on a plan, and has over 15,800 sales on the Envato Market.

The CVE-2026-8732 vulnerability is caused by a “temporary receive admission to” characteristic in the plugin, intended to enable vendor make stronger employees to receive admission to buyer sites for troubleshooting.

Brown learned that the AJAX endpoint frail for this characteristic used to be accessible to unauthenticated customers and relied completely on a publicly uncovered nonce test in frontend JavaScript, rendering the safety ineffective.

This permits sending a specially crafted quiz that triggers code to form a unique WordPress user, attach it the administrator role, generate a passwordless login URL, and ship it to a miles-off machine.

As soon as the attacker visits this URL, they’re automatically authenticated to the newly created administrator sage, without a password or any diverse verification required.

Researchers at WordPress security firm Defiant observed that threat actors strive to milk the vulnerability, and blocked bigger than 3,600 makes an strive over the last 24 hours.

“When the quiz is made with a check_temp parameter residing to counterfeit, the characteristic creates a unique WordPress user through wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded e-mail take care of make stronger@flippercode.com,” the researchers expose.

“The characteristic then generates a “magic login URL” the utilize of generate_login_link(), shops it as user meta, and returns it in the response physique.”

Having admin-stage receive admission to on the positioning intention attackers can inject persistent backdoors, alter state, receive admission to non-public data, deploy web shells, set up malicious plugins, and hang over the receive jam.

Brown reported the flaw to Wordfence on March 24, and the vendor used to be notified on Would per chance per chance 16 after validating the exploit.

On Would per chance per chance 20, WP Maps Pro 6.1.1 used to be released with a fix for CVE-2026-8732. Online page directors are instructed to replace their plugins as soon as that you could judge of, as malicious process has already been observed.