Critical WP Maps Pro Zero-Day Allows Admin Account Creation

Security researchers have identified active exploitation of a critical zero-day vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732 with a severity rating of 9.8/10. The flaw allows unauthenticated remote attackers to create administrator accounts on vulnerable WordPress sites, effectively granting them full control over the affected websites. The vulnerability was discovered and responsibly disclosed by security researcher David Brown on March 24, 2026, with the vendor (Flipper Code) being notified on May 16 after exploit validation. WP Maps Pro is a premium plugin with over 15,800 sales on Envato Market, commonly used by businesses, real estate websites, travel sites, and directories for displaying interactive maps and store locators supporting Google Maps and OpenStreetMap providers. The vulnerability impacts all versions 6.1.0 and older, with version 6.1.1 released on May 20, 2026, containing the necessary security patch.

The root cause of CVE-2026-8732 lies in a "temporary access" feature designed to allow vendor support staff to troubleshoot customer sites. Security researchers at Wordfence (Defiant) discovered that the AJAX endpoint powering this feature was accessible to unauthenticated users and relied solely on a nonce embedded in frontend JavaScript code—effectively making it public knowledge. When an attacker sends a specially crafted request with the check_temp parameter set to false, the vulnerable function calls wp_insert_user() to create a new WordPress user with the hardcoded administrator role, a randomly generated username, and the email address support@flippercode.com. The system then generates a "magic login URL" via generate_login_link(), stores it as user metadata, and returns it in the response. Upon visiting this URL, the attacker gains automatic administrator access without any password or additional verification required.

Wordfence researchers have observed active exploitation attempts, blocking over 3,600 attack attempts in the past 24 hours alone. Once inside as an administrator, threat actors can inject persistent web shells, modify site content, access sensitive customer data, install malicious plugins, and completely take over the website. Site administrators should immediately update to WP Maps Pro 6.1.1 or later, audit their user lists for unfamiliar administrator accounts, and review server access logs for suspicious activity. Organizations should consider using tools like our port scanner to identify exposed attack surfaces and perform a thorough privacy checkup to ensure no unauthorized access has occurred.