WP Maps Pro Bug Lets Hackers Create Admin Accounts

WP Maps Pro Exploit Gives Attackers Full Admin Access

A critical vulnerability in the WP Maps Pro WordPress plugin is being actively exploited. Tracked as CVE-2026-8732, the flaw allows unauthenticated attackers to create administrator accounts on any affected site, no credentials required. Defiant researchers blocked over 3,600 exploitation attempts in a single 24-hour window. If you run WP Maps Pro 6.1.0 or older, this is not a theoretical risk.

The plugin has over 15,800 sales on Envato Market, meaning the exposed attack surface is significant. Businesses, real estate platforms, travel directories, and any site using interactive maps with store locator functionality are all in scope.

How CVE-2026-8732 Works

The root cause is a misimplemented "temporary access" feature, originally designed to let vendor support staff log into customer sites for troubleshooting. The AJAX endpoint powering this feature is reachable by unauthenticated users. Its only protection is a nonce check, and that nonce is publicly exposed in frontend JavaScript. The protection is, in practical terms, worthless.

Sending a crafted POST request with the check_temp parameter set to false triggers the vulnerable function. It calls wp_insert_user() with a hardcoded role of administrator, a randomly generated username, and the hardcoded email support@flippercode.com. The function then generates a magic login URL via generate_login_link(), stores it as user meta, and returns it in the HTTP response body.

The attacker retrieves that URL and visits it. WordPress authenticates them automatically. No password. No second factor. Full admin session.

What Attackers Can Do With Admin Access

Admin-level access on a WordPress site is essentially game over for site integrity. From that position, attackers can install malicious plugins, deploy PHP web shells, inject persistent backdoors into theme files, exfiltrate customer data and private content, and redirect traffic to phishing pages or malware distribution infrastructure.

Persistent backdoors are the real long-term threat here. Even if you update the plugin after an initial compromise, a backdoor planted by an attacker before the patch survives the update. That is why speed matters, and why post-compromise forensics are as important as patching.

How to Fix and Detect the WP Maps Pro Vulnerability

The vendor released WP Maps Pro 6.1.1 on May 20, 2026, addressing CVE-2026-8732. Updating to this version removes the vulnerable code path. The steps are straightforward:

1. Update WP Maps Pro to version 6.1.1 or later immediately.
2. Audit your WordPress users table for accounts you do not recognize, especially any created recently with administrator roles.
3. Check for the hardcoded email support@flippercode.com in your user records.
4. Review recently installed plugins and modified theme files for unauthorized changes.
5. If you suspect compromise, treat the site as fully compromised and perform a clean reinstall from known-good backups.

Running a DAST scan against your WordPress site can surface exposed AJAX endpoints and other unauthenticated attack vectors before attackers find them. Scan your site now at VibeWShield to check for this and similar plugin vulnerabilities.

For broader coverage of WordPress plugin flaws, see our WordPress security vulnerability roundup.

Is my site at risk if I updated to 6.1.1? If you updated before any exploitation occurred, you are protected from new attacks via this vector. However, update the plugin and then audit your admin user list to confirm no rogue accounts were created before you patched.

How do I check if my site was already compromised? Search your WordPress users table for unknown accounts with administrator roles, and filter by recent creation dates. Also check for the email support@flippercode.com. If you find unexpected accounts, assume the worst and conduct a full forensic review of file modifications and server logs.

Does a WAF block this exploit? A well-configured WAF with WordPress-specific rules can block exploitation attempts, and Defiant's firewall has already been updated with a rule for CVE-2026-8732. That said, a firewall rule is not a substitute for patching. Apply the update regardless of whether a WAF is in place.

Run a free vulnerability scan on your WordPress site at VibeWShield.