WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites

Summary

A critical vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrative accounts and fully compromise affected websites. The flaw exists in a callback AJAX function that supports temporary vendor access for troubleshooting; it relies only on an ineffective nonce check exposed on every frontend page and lacks capability verification. Defiant reports blocking over 1,700 active attacks exploiting this vulnerability in 24 hours; the issue was patched in version 6.1.1.

Full text

Threat actors are exploiting a critical-severity vulnerability in the WP Maps Pro WordPress plugin to take over websites, Defiant warns. WP Maps Pro allows site administrators to embed Google Maps in their installations, customizable with advanced location, markers, and categories. The exploited vulnerability, tracked as CVE-2026-8732 (CVSS score of 9.8), allows unauthenticated threat actors to create new administrative accounts and take over vulnerable sites. WP Maps Pro has been designed to support tooling, which exposes a temporary access capability used by the vendor to log in to customer sites as part of troubleshooting operations. According to Defiant, the security defect exists in a callback AJAX function used to handle the temporary access generation, which is protected only by a nonce check. The nonce, it explains, is embedded in every frontend page and exposed to any unauthenticated user, which makes the nonce check ineffective.Advertisement. Scroll to continue reading. Furthermore, the plugin does not include capability checks, thus allowing unauthenticated attackers to invoke the AJAX action with a check_temp parameter set to false and create a new WordPress user with the role of administrator. The user is generated with a random username and with a hardcoded email address. Additionally, the function generates a magic login URL and returns it to the attacker, which can use it to authenticate without a password or additional verification. “As a result, an attacker gains full administrator-level control over the site and can install malicious plugins, modify themes, inject backdoors, exfiltrate data, or deploy web shells for persistent access,” Defiant explains. The vulnerability was addressed in WP Maps Pro version 6.1.1, which adds a capability check to restrict access to authenticated administrators. Defiant says it has blocked over 1,700 attacks targeting the CVE-2026-8732 over the past 24 hours. Related: CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day Related: Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Charter Communications Data Breach Could Impact Nearly 5 MillionMokN Raises $15 Million for Phish-Back PlatformGogs Zero-Day Exposes Servers to Remote Code ExecutionChrome 148 Update Patches 151 VulnerabilitiesGeordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh Attacks Latest News Dutch Police Dismantle Massive 17-Million-Device BotnetCritical Windows Netlogon Vulnerability in Attackers’ CrosshairsDragos Acquires xIoT Security Firm PhosphorusAs the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root AccessRecent Palo Alto Networks Vulnerability Exploited for WeeksRussian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials SayExploit Code Published for Critical Flowise RCE Vulnerability Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveAnurag Jain has been appointed Senior Vice President of Engineering at CodeHunterCTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.Quantum Secure Encryption has named Michael Massing as Chief Technology Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-8732

Entities