WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites

A critical vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732 with a CVSS score of 9.8, is being actively exploited by threat actors to hijack websites. The flaw enables attackers to create new administrative accounts without authentication by exploiting a callback AJAX function protected only by a nonce check, which is ineffective due to exposure on frontend pages. WP Maps Pro, used for embedding customizable Google Maps, includes a temporary access feature for troubleshooting that lacks capability checks. Attackers bypass these protections by setting a *check_temp* parameter to false, generating a random username with a hardcoded email, and receiving a magic login URL to gain full administrator control. This allows them to install malicious plugins, modify themes, inject backdoors, or deploy web shells. The vulnerability was addressed in WP Maps Pro version 6.1.1, which adds capability checks to restrict access to authenticated administrators. Defiant reported blocking over 1,700 attacks targeting CVE-2026-8732 within 24 hours, highlighting the rapid exploitation of the flaw. The flaw stems from the plugin’s design exposing nonces globally and failing to validate user permissions before executing privileged actions. Once compromised, attackers gain persistent access to manipulate site content, exfiltrate data, or maintain control through backdoors. Users are urged to update WP Maps Pro immediately to mitigate the risk. This incident follows a series of recent WordPress plugin vulnerabilities, underscoring the need for proactive security measures in widely used CMS tools. The fix in version 6.1.1 is critical for administrators relying on WP Maps Pro to secure their installations against unauthorized access.