Attackers are trying to take over WordPress sites that use the WP Maps Pro plugin by secretly creating their own administrator accounts. The bug, CVE-2026-8732, affects WP Maps Pro 6.1.0 and earlier and stems from an unauthenticated AJAX endpoint tied to a temporary support-access feature; a crafted request can create an admin user and generate a passwordless login link. Wordfence says it blocked more than 3,600 exploitation attempts in 24 hours, and the vendor fixed the issue in version 6.1.1 on May 20, 2026.
Why it matters: Any site running the vulnerable plugin can be fully taken over, letting attackers plant backdoors, change content, or steal data. Users should update WP Maps Pro to 6.1.1 or later immediately and review WordPress admin accounts for unexpected new users.
Ionut Arghire
2026.06.01
99% relevant
This article is the same underlying event: active exploitation of CVE-2026-8732 in the WP Maps Pro plugin. It adds technical details on the root cause in the AJAX temporary-access callback, notes that version 6.1.1 fixes the issue, and reports Defiant blocked more than 1,700 attack attempts in 24 hours.
info@thehackernews.com (The Hacker News)
2026.06.01
99% relevant
This article covers the same underlying event: active exploitation of the WP Maps Pro flaw CVE-2026-8732 to create rogue admin accounts on vulnerable WordPress sites.
Bill Toulas
2026.05.31
100% relevant
This article establishes a distinct new story: active exploitation of CVE-2026-8732 in the WP Maps Pro plugin, including the flaw details, affected versions, patch release, and observed attack volume.
← Back to all stories