WP Maps Pro WordPress flaw exploited to create admin accounts

TL;DRA critical vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create admin accounts and take over sites. Wordfence blocked 2,858 exploitation attempts in 24 hours, with the flaw patched in version 6.1.1.

A critical vulnerability in WP Maps Pro, a commercial WordPress plugin with more than 15,000 sales on the Envato Market, is being actively exploited by attackers to create malicious administrator accounts on vulnerable sites. The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated users to gain full administrative control of any WordPress installation running an unpatched version of the plugin.

Wordfence, which discovered the exploitation campaign, reported blocking 2,858 attacks targeting the vulnerability in the 24 hours prior to its disclosure. The flaw affects all versions of WP Maps Pro up to and including 6.1.0 and was patched in version 6.1.1, released on 20 May 2026. Security researcher David Brown is credited with discovering and reporting the issue.

How the exploit works

WP Maps Pro includes a “temporary access” feature designed to let the plugin’s support staff log into a customer’s site during troubleshooting. The feature exposes an AJAX action called “wpgmp_temp_access_ajax” that can create a new WordPress user with administrator privileges. The security architecture behind the feature was fundamentally flawed: the action was registered with WordPress’s “wp_ajax_nopriv_” hook, meaning it could be called by unauthenticated visitors.