Hackers are actively targeting WordPress websites running vulnerable versions of the **WP Maps Pro** plugin, exploiting a flaw to create rogue administrator accounts without needing authentication. ## Vulnerability Details The vulnerability, identified as **CVE-2026-8732**, has a critical severity rating and affects **WP Maps Pro** versions 6.1.0 and earlier. It was discovered and reported by security researcher **David Brown**. **WP Maps Pro** is a premium WordPress plugin designed for building interactive and customizable maps and store locators. It supports various map providers like **Google Maps** and **OpenStreetMap**. Used by businesses, real estate websites, travel sites, directories, and other organizations needing to display multiple locations, the plugin boasts over 15,800 sales on the **Envato Market**. ## Technical Explanation **CVE-2026-8732** stems from a "temporary access" feature intended to grant vendor support staff access to customer sites for troubleshooting. Brown discovered that the AJAX endpoint for this feature was accessible to unauthenticated users. The protection relied solely on a publicly exposed nonce check in frontend JavaScript, rendering it ineffective. This allows attackers to send a crafted request that triggers the creation of a new WordPress user with administrator privileges. The attack then generates a passwordless login URL and sends it to a remote system. Visiting this URL automatically authenticates the attacker to the newly created administrator account, bypassing password requirements or other verification methods. ## Active Exploitation Researchers at **Defiant**, a WordPress security company, have observed active exploitation attempts, blocking over 3,600 attempts in the past 24 hours.  "When the request is made with a `check_temp` parameter set to `false`, the function creates a new WordPress user via `wp_insert_user()` with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address `[email protected]`," the researchers at **Wordfence** explain. "The function then generates a 'magic login URL' using `generate_login_link()`, stores it as user meta, and returns it in the response body." ## Impact Admin-level access allows attackers to inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and completely take over the website. ## Remediation Brown reported the flaw to **Wordfence** on March 24. The vendor was notified on May 16 after validation. On May 20, **WP Maps Pro** 6.1.1 was released, patching **CVE-2026-8732**. Website administrators are strongly advised to update their plugins immediately to mitigate the risk of exploitation.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)