A critical vulnerability tracked as CVE-2026-8732 affects the premium WP Maps Pro plugin for WordPress. Multiple sources report that versions up to and including 6.1.0 allow unauthenticated attackers to create new administrator accounts, which can result in complete site takeover. Given that the plugin has more than 15,000 sales, the potential impact is meaningful for site owners using this tool.
Why it matters: an attacker who can create an administrator account does not need valid credentials to control a site. That shifts the risk from credential theft to direct privilege escalation.
What’s confirmed
According to Wordfence and the NVD listings for recent CVEs, the issue involves an AJAX action related to a “temporary access” support feature. The action is registered for unauthenticated use and protected only by a nonce that is embedded in frontend JavaScript, which makes it ineffective as an access control mechanism. Invoking the relevant handler with specific parameters results in a new WordPress user being created with administrator privileges and a passwordless “magic login” URL being returned; visiting that URL authenticates the attacker as the new admin. Both Wordfence and NVD state that all versions up to, and including, 6.1.0 are vulnerable.
Wordfence attributes discovery and responsible reporting of the bug to researcher David Brown via the company’s bug bounty program. Wordfence also notes that it published a firewall rule for Wordfence Premium, Care, and Response users on May 18, 2026, with the same protection scheduled for the free version on June 17, 2026. At the time of Wordfence’s publication, the vendor’s patched release was identified as version 6.1.1, and users were urged to update to the latest fixed version.
BleepingComputer reports that threat actors are attempting to exploit the flaw in the wild, citing observations of blocked attempts by Defiant (the company behind Wordfence). This indicates real-world interest from attackers, not just a theoretical weakness.
Sources referenced in this article:
- Wordfence: “15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin” (May 28, 2026)
- BleepingComputer: “WP Maps Pro bug exploited to create admin accounts on WordPress sites” (May 31, 2026)
- NVD recent CVEs summary referencing WP Maps Pro up to 6.1.0
Practical next steps
Based on the available evidence, a focused response is warranted for any site running WP Maps Pro:
- Check your WP Maps Pro version. If it is 6.1.0 or older, update to the latest patched release. Wordfence identifies 6.1.1 as the fixed version at the time of its publication.
- If your site uses Wordfence, note the firewall protection windows: May 18, 2026 for paid tiers and June 17, 2026 for the free version, per Wordfence. Update your security plugins accordingly.
- Because the vulnerability enables creation of new administrator accounts, review your WordPress Users list for any unexpected administrators and remove accounts you did not create.
What remains uncertain
Public sources in this packet do not include a vendor advisory detailing root-cause changes in the patch, nor comprehensive guidance beyond updating. Exact exploit prevalence beyond the reported blocking statistics is also unclear. As with any evolving issue, details may change as additional information is published by the vendor or security teams.
Bottom line
CVE-2026-8732 is a high-impact privilege escalation in WP Maps Pro that can hand attackers full administrative control without authentication. Update promptly to the latest fixed version, ensure your security tools are current, and verify there are no unfamiliar administrator accounts on your site.
Further reading:
- Wordfence post: https://www.wordfence.com/blog/2026/05/15000-wordpress-sites-affected-by-administrator-account-creation-vulnerability-in-wp-maps-pro-wordpress-plugin/
- BleepingComputer coverage: https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/
- WP Maps Pro product page (vendor marketplace): https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
