WP Maps Pro CVE-2026-8732: Admin Account Takeover Is Being Exploited

WordPress site owners using WP Maps Pro should treat CVE-2026-8732 as an active takeover risk, not just a routine plugin update. The flaw lets an unauthenticated visitor create a new administrator account on sites running WP Maps Pro 6.1.0 or earlier, and the public reporting now includes exploitation attempts against real WordPress sites.^[1][2]

The short version is simple: update WP Maps Pro to 6.1.1 or newer, then inspect the site for unexpected administrators. Wordfence rates the issue 9.8 critical and lists the affected range as all versions up to and including 6.1.0.^[1] NVD mirrors the core impact: the vulnerable handler can create an administrator user and return a login path that authenticates the attacker as that account.^[3]

WP Maps Pro is a commercial mapping and store-locator plugin used by businesses, directories, real estate sites, travel sites, and other WordPress installations that need interactive maps. BleepingComputer noted that the plugin has more than 15,800 Envato Market sales, which makes this more than a niche bug for abandoned hobby sites.^[2]

What administrators should check now

The vulnerable feature was meant to provide temporary support access. The problem is that its AJAX action was exposed to unauthenticated users and depended on a nonce value that could be read from frontend JavaScript, so the nonce did not prove that the caller was a trusted administrator.^[1] In practical terms, a reachable affected site could let an outsider mint a WordPress admin user without already having a password.

After updating, review Users -> Administrators for accounts you did not create, especially recently created users or accounts tied to support-style addresses. Wordfence’s description says the vulnerable path used a hardcoded administrator role and support email in the account creation flow, so a clean plugin version does not automatically remove a rogue user that may already exist.^[1]

Server logs are also worth checking. Look for unusual hits to WordPress AJAX endpoints, repeated requests around pages that render maps, and admin sessions that appear shortly after anonymous frontend traffic. If a suspicious administrator account exists, assume the attacker may have installed another plugin, changed theme files, added a web shell, or created a second persistence account before you noticed it.

This is the same operational lesson seen in many WordPress plugin incidents: the vulnerable component is only the entry point. Older HowToFix coverage of Elementor Pro exploitation, the AIOS WordPress plugin password exposure, and broader CMS compromise stories such as Ghost CMS ClickFix injection all point to the same follow-up work: patch first, then verify accounts, files, and persistence.

For sites that were exposed, the minimum response is to update WP Maps Pro, remove unknown administrators, rotate passwords for real admins, invalidate active sessions, check recently modified plugin/theme files, and review outbound connections from the server. If the site handles customer data or payments, preserve logs before cleanup so the incident window can be reconstructed.

References

1. Wordfence Intelligence. WP Maps Pro <= 6.1.0 – Unauthenticated Privilege Escalation via Administrator Account Creation. Published May 28, 2026; updated May 29, 2026.
2. BleepingComputer. WP Maps Pro bug exploited to create admin accounts on WordPress sites. May 31, 2026.
3. National Vulnerability Database. CVE-2026-8732 Detail. Published May 29, 2026.