A critical vulnerability in WP Maps Pro versions 6.1.0 and older, tracked as CVE-2026-8732, allows attackers to create rogue administrator accounts without authentication. The flaw resides in a temporary access feature meant for vendor support staff, where an AJAX endpoint accessible to unauthenticated users relied solely on a publicly exposed nonce check in frontend JavaScript. Sending a specially crafted request triggers code that creates a new WordPress user with the administrator role and generates a passwordless login URL sent to the attacker.
When the attacker visits that URL, they are automatically authenticated to the new admin account without any password or additional verification. Defiant researchers observed over 3,600 exploitation attempts in 24 hours, with requests using a check_temp parameter set to false. The function creates users with a randomly generated username and the hardcoded email address support@flippercode.com, then returns a magic login URL in the response body.
WP Maps Pro is a premium plugin with over 15,800 sales on Envato Market, typically used for interactive maps and store locators on business and real estate websites. Admin-level access enables attackers to inject backdoors, modify content, access private data, deploy web shells, install malicious plugins, and fully compromise websites. The vendor released version 6.1.1 with a fix on May 20 after security researcher David Brown reported the flaw through Wordfence. Website administrators are urged to update immediately, as active exploitation has already been observed in the wild. The vulnerability was discovered and reported on March 24, with vendor notification following validation on May 16.
Read more...