Hackers Exploit WP Maps Pro Flaw to Create Admin Accounts

Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin to create unauthorized administrator accounts on affected websites. The flaw, designated CVE-2026-8732, impacts all versions of the plugin up to and including 6.1.0.

WP Maps Pro is a premium WordPress plugin used by businesses, real estate sites, travel platforms, and organizations to display interactive maps and store locators, supporting providers like Google Maps and OpenStreetMap. The vulnerability stems from a “temporary access” feature designed to let vendor support staff troubleshoot customer sites. However, the associated AJAX endpoint was accessible to unauthenticated users and relied on a publicly exposed nonce check in frontend JavaScript, which rendered the security measure ineffective.

According to researchers at WordPress security company Defiant, attackers can send a specially crafted request that triggers the creation of a new WordPress administrator account with a randomly generated username and a hardcoded email address, support@flippercode.com. “When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. The function then generates a ‘magic login URL’ using generate_login_link(), stores it as user meta, and returns it in the response body.”

Once the attacker accesses the passwordless login URL, they gain immediate administrative control without needing a password or additional verification. Full administrator access enables attackers to inject persistent backdoors, alter site content, extract private data, deploy web shells, install malicious plugins, and fully compromise the website.

Defiant reported blocking more than 3,600 exploitation attempts in a 24-hour period, confirming active targeting in the wild. Security researcher David Brown discovered and reported the vulnerability to Wordfence on March 24. The plugin vendor was notified on May 16 after the exploit was validated, and a patched version, WP Maps Pro 6.1.1, was released on May 20. Website administrators running affected versions are urged to update immediately due to ongoing malicious activity.