Threat actors are actively exploiting a critical flaw in the WP Maps Pro WordPress plugin to create administrator accounts on vulnerable sites, with Wordfence saying it blocked 2,858 attack attempts in the past 24 hours. The issue affects plugin versions up to 6.1.0 and was fixed in 6.1.1.
KEY FACTS
- Vulnerability CVE-2026-8732 is rated 9.8 and enables unauthenticated privilege escalation.
- Impact Attackers can create a WordPress administrator user and take over a site.
- Affected versions All releases prior to and including 6.1.0 are vulnerable.
- Fix The plugin maintainers released version 6.1.1 on May 20, 2026.
A technical analysis from Wordfence said the weakness is tied to a temporary access feature meant for support staff. The plugin exposed an AJAX action to unauthenticated users and relied on a nonce check that was publicly embedded on frontend pages, which made it ineffective as an access control measure.
The disclosure said attackers can call the support handler with check_temp=false, which creates a new WordPress user with administrator privileges and returns a magic login URL. Visiting that URL completes authentication as the newly created administrator and results in full site takeover.
The flaw affects a plugin used for customizable maps and store locator features on WordPress sites. Security researcher David Brown is credited with finding and reporting the issue, and the patch released on May 20 limits access to authenticated administrators.
Wordfence said it has already blocked thousands of attack attempts against the vulnerability. Site owners using the plugin are being urged to update to the latest version to reduce exposure while exploitation continues.
WHY IT MATTERS
The issue can give attackers full control of a WordPress site without a password or prior access, which can expose content, data and administrative settings. Updating to the patched version is the main protection noted in the disclosure.