WP Maps Pro plugin flaw to create admin accounts on WordPress sites saw 3,600 attempts in a single day

News
By published

Thousands of attacks were seen in a single day

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)
  • Researchers disclosed a critical flaw in WP Maps Pro allowing attackers to create hardcoded admin accounts
  • Exploitation is active: Wordfence blocked over 3,600 attempts in a single day
  • Patch released May 20 (v6.1.1); users must upgrade immediately

Criminals are actively exploiting a critical vulnerability in a popular WordPress plugin to create admin accounts and thus take over entire websites. This is according to multiple security researchers including David Brown (who first disclosed the flaw), and Defiant, who confirmed in-the-wild exploitation attempts.

The plugin in question is called WP Maps Pro, it is a premium WordPress plugin used to create customizable maps, interactive store locators, and similar, using either Google Maps or OpenStreetMap. The plugin is currently used by more than 15,000 websites, according to Envato Market numbers.

As per Brown’s research, the plugin suffered from a “privilege escalation via administrator account creation” vulnerability which allowed threat actors to create a new WordPress user with a hardcoded admin role. The vulnerability is now tracked as CVE-2026-8732, and carries a severity score of 9.8/10 (critical). It was found in versions 6.1.0 and older.

Latest Videos From

Applying a fix

Defiant, the cybersecurity company behind Wordfence, said its researchers observed and stopped more than 3,600 exploitation attempts in just one day.

“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers said. “The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”

The fix was released four days after initial disclosure, on May 20. Users are advised to upgrade to version 6.1.1 as soon as possible to avoid being targeted.

With WordPress powering much of today’s internet, it is also one of the most targeted platforms in existence. Its vast ecosystem of plugins and themes, both free and premium, are constantly being abused in attacks such as this one.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.