Vulnerability Exploits WP Maps Pro Plugin to Create Admin Accounts on WordPress Sites
Vulnerability in WP Maps Pro Plugin Creates Rogue Administrator Accounts on WordPress Sites
A critical vulnerability has been discovered in the WP Maps Pro plugin, allowing hackers to create unauthorized administrator accounts on WordPress websites.
The Issue
The issue, identified as CVE-2026-8732, affects versions 6.1.0 and earlier of the plugin.
How It Happens
The vulnerability stems from a temporary access feature designed to facilitate vendor support staff in accessing customer sites for troubleshooting purposes. However, this functionality was compromised due to an insecure implementation, leaving it susceptible to exploitation by unauthenticated users.
Patch Released
In response, a patch was released on May 20, addressing the issue in WP Maps Pro 6.1.1.
Action Required
As a result, administrators of affected websites are urged to update their installations to the latest version to prevent potential exploitation.
Threat Actors Already Actively Exploiting the Vulnerability
It is worth noting that threat actors have already begun attempting to exploit this vulnerability, with over 3,600 attempts observed in the past 24 hours alone.
What You Can Do
- Regularly update your installations to the latest version.
- Perform comprehensive security audits.
- Monitor your system activity regularly.