WP Maps Pro bug exploited to create admin accounts on WordPress sites
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
AI Analysis
Technical Summary
The WP Maps Pro plugin for WordPress contains a critical security flaw (CVE-2026-8732) in its 'temporary access' AJAX endpoint, which is accessible without authentication and protected only by a nonce exposed in frontend JavaScript. This allows attackers to send specially crafted requests that create new administrator accounts with a hardcoded email and a randomly generated username. The plugin then generates a passwordless 'magic login URL' for the new admin user and returns it to the attacker, enabling immediate admin-level access without any further verification. This vulnerability affects WP Maps Pro versions 6.1.0 and earlier. The issue was responsibly disclosed and fixed in version 6.1.1. Exploitation attempts have been observed in the wild, with security firms blocking thousands of attacks within a day.
Potential Impact
Successful exploitation grants attackers administrator privileges on vulnerable WordPress sites, allowing them to inject persistent backdoors, modify site content, access sensitive data, deploy web shells, install malicious plugins, and fully take over the website. This represents a complete compromise of site security and control.
Mitigation Recommendations
A fixed version of WP Maps Pro (6.1.1) has been released that addresses CVE-2026-8732. Site administrators should update to version 6.1.1 or later immediately to remediate this vulnerability. No other mitigation steps are indicated by the vendor advisory. Given active exploitation attempts, prompt patching is critical.
WP Maps Pro bug exploited to create admin accounts on WordPress sites
Description
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WP Maps Pro plugin for WordPress contains a critical security flaw (CVE-2026-8732) in its 'temporary access' AJAX endpoint, which is accessible without authentication and protected only by a nonce exposed in frontend JavaScript. This allows attackers to send specially crafted requests that create new administrator accounts with a hardcoded email and a randomly generated username. The plugin then generates a passwordless 'magic login URL' for the new admin user and returns it to the attacker, enabling immediate admin-level access without any further verification. This vulnerability affects WP Maps Pro versions 6.1.0 and earlier. The issue was responsibly disclosed and fixed in version 6.1.1. Exploitation attempts have been observed in the wild, with security firms blocking thousands of attacks within a day.
Potential Impact
Successful exploitation grants attackers administrator privileges on vulnerable WordPress sites, allowing them to inject persistent backdoors, modify site content, access sensitive data, deploy web shells, install malicious plugins, and fully take over the website. This represents a complete compromise of site security and control.
Mitigation Recommendations
A fixed version of WP Maps Pro (6.1.1) has been released that addresses CVE-2026-8732. Site administrators should update to version 6.1.1 or later immediately to remediate this vulnerability. No other mitigation steps are indicated by the vendor advisory. Given active exploitation attempts, prompt patching is critical.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/","fetched":true,"fetchedAt":"2026-05-31T14:18:35.793Z","wordCount":741}
Threat ID: 6a1c433be29bf47b501b408e
Added to database: 5/31/2026, 2:18:35 PM
Last enriched: 5/31/2026, 2:18:45 PM
Last updated: 6/1/2026, 12:30:10 PM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.