WP Maps Pro plugin flaw to create admin accounts on WordPress sites saw 3,600 attempts in a single day
Date:
Mon, 01 Jun 2026 14:05:00 +0000
Description:
Thousands of attacks were seen in a single day as a patch is rolled out.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Researchers disclosed a
critical flaw in WP Maps Pro allowing attackers to create hardcoded admin accounts Exploitation is active: Wordfence blocked over 3,600 attempts in a single day Patch released May 20 (v6.1.1); users must upgrade immediately Criminals are actively exploiting a critical vulnerability in a popular WordPress plugin to create admin accounts and thus take over entire websites. This is according to multiple security researchers including David Brown (who first disclosed the flaw), and Defiant, who confirmed in-the-wild
exploitation attempts.
The plugin in question is called WP Maps Pro, it is a premium WordPress
plugin used to create customizable maps, interactive store locators, and similar, using either Google Maps or OpenStreetMap. The plugin is currently used by more than 15,000 websites, according to Envato Market numbers. As per Browns research, the plugin suffered from a privilege escalation via administrator account creation vulnerability which allowed threat actors to create a new WordPress user with a hardcoded admin role. The vulnerability is now tracked as CVE-2026-8732, and carries a severity score of 9.8/10 (critical). It was found in versions 6.1.0 and older. Latest Videos From You may like Hackers exploiting WordPress membership plugin bug to create admin accounts 60,000 WordPress sites at risk due to plugin security flaw Around 500,000 WordPress websites could be at risk from crucial plugin security flaw Applying a fix Defiant, the cybersecurity company behind Wordfence, said its researchers observed and stopped more than 3,600 exploitation attempts in
just one day.
When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address
support@flippercode.com, the researchers said. The function then generates a magic login URL using generate_login_link(), stores it as user meta, and returns it in the response body.
The fix was released four days after initial disclosure, on May 20. Users are advised to upgrade to version 6.1.1 as soon as possible to avoid being targeted.
With WordPress powering much of todays internet, it is also one of the most targeted platforms in existence. Its vast ecosystem of plugins and themes, both free and premium, are constantly being abused in attacks such as this one. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons
Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/wp-maps-pro-plugin-flaw-to-create-admin -accounts-on-wordpress-sites-saw-3-600-attempts-in-a-single-day
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)