WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites

Threat actors are exploiting a critical-severity vulnerability in the WP Maps Pro WordPress plugin to take over websites, Defiant warns.

WP Maps Pro allows site administrators to embed Google Maps in their installations, customizable with advanced location, markers, and categories.

The exploited vulnerability, tracked as CVE-2026-8732 (CVSS score of 9.8), allows unauthenticated threat actors to create new administrative accounts and take over vulnerable sites.

WP Maps Pro has been designed to support tooling, which exposes a temporary access capability used by the vendor to log in to customer sites as part of troubleshooting operations.

According to Defiant, the security defect exists in a callback AJAX function used to handle the temporary access generation, which is protected only by a nonce check.