CometSoul

make IT easy

  • Bahasa Indonesia
  • English

    • Critical WP Maps Pro Flaw Exploited to Create Admin Accounts

    by

    Juni Artawan
    in

    Critical WP Maps Pro Flaw Exploited to Create Admin Accounts on WordPress Sites

    A critical WP Maps Pro flaw is now being actively exploited by attackers to create administrator accounts on vulnerable WordPress websites.

    The vulnerability is tracked as CVE 2026 8732. It affects WP Maps Pro, a WordPress plugin used to add customizable Google Maps, OpenStreetMap, markers, listings, and location based features to websites.

    This issue is serious because attackers do not need a valid username or password. If a website is running a vulnerable version of WP Maps Pro, an unauthenticated attacker may be able to create a new administrator account and take control of the site.

    According to reports from The Hacker News and Wordfence, all versions of WP Maps Pro up to and including 6.1.0 are affected. The issue has been fixed in version 6.1.1.

    What Is the WP Maps Pro Flaw?

    WP Maps Pro is often used by businesses that need map based features on their WordPress websites. This can include store locators, branch maps, service area listings, property locations, or directory style pages.

    Because the plugin is connected to frontend pages, it needs to load scripts and map related data for visitors. However, the vulnerability is not just about displaying maps. The problem is tied to a temporary access feature that was designed to help support staff log in during troubleshooting.

    In the vulnerable versions, this temporary access feature could be triggered by unauthenticated users. That means someone outside the website could call the function without being logged in as an administrator.

    The affected function could then create a new WordPress user with administrator privileges. After that, the attacker could use a generated login link to access the dashboard as the new admin user.

    Why CVE 2026 8732 Is Dangerous

    The WP Maps Pro flaw has a CVSS score of 9.8, which places it in the critical category. This high score makes sense because the attack can be performed remotely, does not require login access, and can result in full site takeover.

    In WordPress, administrator access is extremely powerful. Once attackers have an admin account, they can install plugins, edit themes, upload malicious files, change site settings, create more users, redirect visitors, or inject hidden spam and phishing pages.

    For a business website, this can cause serious damage. A compromised site may expose customer data, damage search engine rankings, spread malware, or redirect visitors to scam pages.

    In some cases, attackers may not make obvious changes right away. They may create hidden admin users, add backdoors, and wait before using the compromised website for a larger campaign.

    How the Vulnerability Works

    At a high level, the WP Maps Pro flaw comes from weak access control around the temporary access system.

    Wordfence explained that the plugin registered an AJAX action in a way that allowed unauthenticated users to call it. The action was protected by a nonce check, but that nonce was publicly available on frontend pages. Because of that, the nonce did not work as a real access control barrier.

    The attacker could call the temporary access function with a specific parameter. The vulnerable code would then create a new WordPress user with the administrator role.

    After creating the user, the plugin returned a special login URL. When visited, that URL authenticated the attacker as the newly created administrator. This is why the flaw can lead to complete site takeover.

    Active Exploitation Makes the Risk Higher

    This issue is not only theoretical. Reports say attackers have already started trying to exploit it in the wild.

    That changes the urgency. When a vulnerability is actively exploited, site owners should not wait for a normal maintenance window if the affected plugin is installed. A vulnerable WordPress website can be attacked before the owner even notices anything strange.

    Wordfence reported thousands of blocked attack attempts targeting this issue within a short period. This shows that attackers are already scanning for vulnerable sites.

    For WordPress site owners, the safest response is simple. Check whether WP Maps Pro is installed. Then check the version. If it is version 6.1.0 or older, update immediately to version 6.1.1 or newer.

    What Site Owners Should Check

    The first thing to check is the plugin version. Go to the WordPress dashboard, open the plugin page, and confirm the installed version of WP Maps Pro.

    If the plugin is outdated, update it right away. If you cannot update immediately, consider temporarily disabling the plugin until the site can be secured.

    After updating, do not assume everything is clean. Because this vulnerability can create administrator accounts, you should review the user list inside WordPress.

    Look for unknown admin users, especially accounts you did not create. Also check for unfamiliar email addresses, strange usernames, or recently created accounts.

    You should also review installed plugins and themes. If an attacker gained admin access, they may have uploaded a malicious plugin, modified theme files, or added a backdoor.

    Why Updating Alone May Not Be Enough

    Updating to WP Maps Pro 6.1.1 or newer is necessary. However, it only prevents future exploitation. It does not remove damage that may have happened before the update.

    If a malicious admin account was already created, that account can remain active even after the plugin is patched. This is why cleanup matters.

    Site owners should remove unknown admin users, reset passwords for all administrator accounts, review site files, and scan the website for malware.

    It is also wise to check server logs if available. Look for unusual requests to admin ajax endpoints, unknown login activity, and file changes around the time the vulnerability may have been exploited.

    How to Reduce Future WordPress Plugin Risk

    WordPress plugins make websites more flexible, but every plugin also adds risk. This does not mean site owners should avoid plugins completely. It means plugins should be managed carefully.

    Install only plugins that are truly needed. Keep them updated. Remove unused plugins instead of just deactivating them. Review plugin reputation, update history, and support activity before installing anything on a production website.

    In addition, use strong passwords, enable two factor authentication for administrator accounts, and limit the number of admin users. A web application firewall can also help block common attack attempts before they reach vulnerable code.

    Backups are also important. A clean backup can help restore a site faster if attackers modify files or inject malicious content.

    Conclusion

    The critical WP Maps Pro flaw shows how dangerous a small access control mistake can become inside a WordPress plugin. CVE 2026 8732 allows unauthenticated attackers to create administrator accounts on vulnerable sites, which can lead to complete takeover.

    If your website uses WP Maps Pro, check the version immediately. Update to version 6.1.1 or newer, review administrator accounts, scan for malware, and remove anything suspicious.

    For WordPress site owners, the lesson is clear. Plugin updates are not just routine maintenance. They are part of website security. When a critical flaw is already being exploited, quick action can be the difference between a safe site and a compromised one.

    Source: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html