Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit WP Maps Pro Bug to Hijack WordPress Sites

Person typing on laptop with blurred map interface on screen, symbolizing WordPress site security breach.

Researchers at WordPress security company Defiant say they “blocked more than 3,600 attempts over the past 24 hours” to exploit a critical flaw in the WP Maps Pro plugin that lets unauthenticated attackers create administrator accounts and log in without a password.

CVE-2026-8732 and the temporary access feature in WP Maps Pro

The flaw, tracked as CVE-2026-8732, affects WP Maps Pro version 6.1.0 and older and was reported by security researcher David Brown. WP Maps Pro is a premium WordPress plugin used to build interactive maps and store locators and supports multiple map providers such as Google Maps and OpenStreetMap; it has logged more than 15,800 sales on the Envato Market. The vulnerability stems from a “temporary access” feature intended to let vendor support staff access customer sites for troubleshooting.

How the bug lets attackers create administrator accounts

Brown found that an AJAX endpoint used by the temporary access feature was exposed to unauthenticated users and relied solely on a nonce check present in frontend JavaScript. That frontend nonce protection was insufficient. An attacker can send a specially crafted request that triggers code to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send that URL to a remote system.

As Defiant explains, “When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com.” The function then “generates a ‘magic login URL’ using generate_login_link(), stores it as user meta, and returns it in the response body.” Visiting that URL authenticates the visitor to the newly created administrator account with no password or other verification.

Observed exploitation and vendor timeline

Defiant’s telemetry shows active exploitation attempts, a warning echoed by the volume of blocks — more than 3,600 in a 24‑hour window. David Brown reported the flaw to Wordfence on March 24. After Wordfence validated the exploit, the vendor was notified on May 16. WP Maps Pro 6.1.1 was released on May 20 with a patch addressing CVE-2026-8732. The vendor and researchers recommend administrators update their plugins as soon as possible, given that malicious activity had already been observed.

Risks from attacker control of administrator accounts

Administrator‑level access to a WordPress site is comprehensive. According to the reporting, attackers who gain admin rights can inject persistent backdoors, modify content, access private data, deploy web shells, install malicious plugins, and otherwise take over the website. The specific exploitation pathway in this case produces both a hardcoded support email address (support@flippercode.com) associated with the created account and a returned magic login URL — artifacts that defenders can look for when investigating possible compromise.

What this means for businesses, security teams, and plugin vendors

  • Businesses that use WP Maps Pro — including real estate websites, travel sites, directories, storefronts and other organizations that display multiple locations on maps — should prioritize updating to WP Maps Pro 6.1.1 because the plugin’s user base and the observed malicious activity raise the risk of compromise.
  • Security teams and site administrators should watch for signs tied to the vulnerability: newly created administrator accounts with randomly generated usernames and the hardcoded email address support@flippercode.com, and unexpected user meta entries that contain magic login URLs returned by the endpoint. Those indicators flow directly from how the exploit constructs and delivers access.
  • Plugin vendors and support teams should note the root cause here: an unauthenticated AJAX endpoint protected only by a frontend nonce can be invoked by attackers. The temporary access mechanism in this plugin relied on such a pattern, which researchers found exploitable.

The sequence is straightforward and urgent: a support convenience feature, an exposed AJAX endpoint, and a frontend nonce that could be bypassed combined to hand attackers administrator access — and researchers observed active exploitation. With WP Maps Pro 6.1.1 released on May 20 and defensive blocks already recorded, the pressing question is whether administrators will apply the patch quickly enough to stop further compromises.

Source: BleepingComputer — WP Maps Pro bug exploited to create admin accounts on WordPress sites